Skip to content

Mitigate buffer overflow in SMTP: Ensure username_size < sizeof username before memcpy #306

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
charliemirabile merged 1 commit into from
Dec 1, 2025
Merged

Mitigate buffer overflow in SMTP: Ensure username_size < sizeof username before memcpy #306

charliemirabile merged 1 commit into from
Dec 1, 2025

Conversation

@DaBigBlob
Copy link
Contributor

@DaBigBlob DaBigBlob commented Nov 30, 2025
edited
Loading

Trivial fix but mitigates a potentially nasty memory bug (buffer overflow) in the SMTP server.

Diff

@@ -549,6 +549,7 @@ static void handle_auth(enum state *state)
 		if(user_end == NULL)
 			REPLY("535 Authentication credentials invalid")
 		username_size = (size_t)(user_end - user_start);
+		if (username_size > sizeof username) REPLY("535 Username too long");
 		memcpy(username, user_start, username_size);
 		if(!validate_and_case_fold_email_address(username_size, username))
 			REPLY("535 Invalid username")

Explanation

  • line_buff is 1024 chars and username is 256 chars.
  • by the time execution reaches memchr in the AUTH PLAIN branch, line_size isn't necessarily small enough to ensure that username_size computes to <= 256.
  • this allows for user input to (using SMPT command AUTH PLAIN) to write arbitrary ~1k data starting from pointer username.

PoC

printf 'EHLO kdlp\r\nAUTH PLAIN %s\r\nQUIT\r\n' $(python3 -c 'import base64; print(base64.b64encode(b"\x00" + b"a"*500 + b"\x00" + b"p"*5).decode())') | ./smtp dir_mail dir_log dir_patchset

charliemirabile
charliemirabile requested changes Dec 1, 2025
View reviewed changes
charliemirabile
charliemirabile requested changes Dec 1, 2025
View reviewed changes
charliemirabile
charliemirabile requested changes Dec 1, 2025
View reviewed changes
Copy link
Contributor

@charliemirabile charliemirabile left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I guess I should have said to use the more specific verb "fixup" instead of "squash", but in either case I do not need three commit messages and three signed off by lines. You can delete everything below the first DCO with a git commit --amend and then force push

@DaBigBlob
Ensure username_size < sizeof username before memcpy
f01ee24 
Fixes: 6259a21 ("Add support for AUTH PLAIN")

Signed-off-by: Hans <localboxcrox@gmail.com>
charliemirabile
charliemirabile approved these changes Dec 1, 2025
View reviewed changes
Copy link
Contributor

@charliemirabile charliemirabile left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@charliemirabile charliemirabile merged commit 88d53de into underground-software:master Dec 1, 2025
1 of 2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@charliemirabile charliemirabile charliemirabile approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@DaBigBlob @charliemirabile