To: stunnel-users@mirt.net
Date: Tue, 18 Dec 2001 15:26:25 +0100
From: Matthias Lange <ml@netuse.de>
Subject: stunnel client security patch


Hi,

I found a format string bug in stunnel.

In some occasions, fdprintf is used without a
format parameter. Fortunately, the errors are
only in the smtp and pop3 client implementations,
so "ordinary" servers are not affected.

I succeeded to crash stunnel with the following setup:

Acting as a mail server:
$ netcat -p 252525 -l


Acting as a mail client:
$ stunnel -c -n smtp -r localhost:252525

When the connection is established, I send a string like
"%s%s%s%s%s%s%s%s%s%s%s%s" from the netcat to the stunnel.

Then the stunnel performs: fdprintf(c->local_wfd,"%s%s%s%s..."),
prints out a lot of garbage, possibly with a segmentation fault.

I have attached a patch for stunnel-3.21c.

Greetings

Matthias Lange
--
Matthias Lange, BSc
NetUSE AG               Dr.-Hell-Stra?e         Fon: +49 431 38643500
http://www.netuse.de/   D-24107 Kiel, Germany   Fax: +49 431 38643599