-= CVE-1999-0047 =-

Vulnerable version: Sendmail 8.8.3 and 8.8.4
File: sendmail/mime.c
Download from: source not available anymore

Domain: Server

_ Vulnerable Functions and Buffers _

Function mime7to8 reads four characters at a time from a file and copies each character into a fixed sized buffer. The number of elements copied depends on the length of the input, but the pointer into the dest buffer is reset if a '\n' is encountered. A typo (fbuf >= &fbuf[X], which is always false, instead of fbufp >= &fbuf[X]) prevents the copying loop from stopping early if the end of the dest buffer is reached. The patched version fixes the typo.

_ Decomposed Programs _

Zitser's model program:

mime7to8/
  mime7to8_{arr,ptr}_{one,two,three}_char*_{no,med,heavy}_test_{bad,ok}.c

Variants arr and ptr use array indexing and pointer operations, respectively. Variants one, two, and three read (and test) one, two, and three characters from input on each iteration of the while loop. Variant no only checks whether the input char is EOF; med also checks whether the input is '=', '\n', or '\r'; heavy also checks the input with isascii and isspace.

_ Notes _

This is Zitser's sendmail/s4, simplified.

BASE_SZ was originally 50.
