To: stunnel-users@mirt.net Date: Tue, 18 Dec 2001 15:26:25 +0100 From: Matthias Lange Subject: stunnel client security patch Hi, I found a format string bug in stunnel. In some occasions, fdprintf is used without a format parameter. Fortunately, the errors are only in the smtp and pop3 client implementations, so "ordinary" servers are not affected. I succeeded to crash stunnel with the following setup: Acting as a mail server: $ netcat -p 252525 -l Acting as a mail client: $ stunnel -c -n smtp -r localhost:252525 When the connection is established, I send a string like "%s%s%s%s%s%s%s%s%s%s%s%s" from the netcat to the stunnel. Then the stunnel performs: fdprintf(c->local_wfd,"%s%s%s%s..."), prints out a lot of garbage, possibly with a segmentation fault. I have attached a patch for stunnel-3.21c. Greetings Matthias Lange -- Matthias Lange, BSc NetUSE AG Dr.-Hell-Stra?e Fon: +49 431 38643500 http://www.netuse.de/ D-24107 Kiel, Germany Fax: +49 431 38643599