Hello,

I have found some smaller overflow issues in /usr/bin/mail (both in
OpenBSD 3.7 and in the latest CVS version). They don't seem to have any
security impact.


a) off-by-one bug


There is an off-by-one bug in readtty() in tty.c. It writes '\0'
just outside a character array when the user input is long enough.
The following patch fixes this glitch:


--- usr.bin/mail/tty.c.old 2003-06-03 04:56:11.000000000 +0200
+++ usr.bin/mail/tty.c 2005-06-19 01:13:49.577213600 +0200
@@ -230,7 +230,7 @@ readtty(char *pr, char *src)
(void)sigaction(SIGTTIN, &act, NULL);
(void)sigprocmask(SIG_UNBLOCK, &intset, &oset);
clearerr(stdin);
- while (cp2 < canonb + BUFSIZ) {
+ while (cp2 < canonb + BUFSIZ - 1) {
c = getc(stdin);
switch (ttysignal) {
case SIGINT:


b) buffer overflow if BUFSIZ > 1024


If BUFSIZ is larger than 1024 (the value of STRINGLEN) and scan() in
list.c is called with a long string containing many digits, there is
a buffer overflow. One system that gets hit by this bug is
Debian GNU/Linux (see bug #313306 [1]). Relying on such outside factors
as the value of BUFSIZ is a bug in the code, even if it might not have
any effect on a stock OpenBSD system. Here is a patch for this little
programming mistake that causes crashes on certain systems:


--- usr.bin/mail/list.c.old 2004-11-23 10:10:35.000000000 +0100
+++ usr.bin/mail/list.c 2005-06-19 01:16:03.498854416 +0200
@@ -543,7 +543,8 @@ scan(char **sp)
lexnumber = 0;
while (isdigit(c)) {
lexnumber = lexnumber*10 + c - '0';
- *cp2++ = c;
+ if (cp2 - lexstring < STRINGLEN-1)
+ *cp2++ = c;
c = *cp++;
}
*cp2 = '\0';


[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=313306


// Ulf Harnhammar