From:	 wietse@porcupine.org (Wietse Venema)
To:	 bugtraq@securityfocus.com
Subject: Postfix session log memory exhaustion bugfix
Date:	 Wed, 14 Nov 2001 23:08:04 -0500 (EST)

The Postfix SMTP server maintains a record of SMTP conversations
for debugging purposes. Depending on local configuration details
this record is mailed to the postmaster whenever an SMTP session
terminates with errors.

During code maintenance, a stupid error was introduced into the
code due to which the SMTP session log could grow to an unreasonable
size.   This stupid error made Postfix vulnerable to a memory
exhaustion attack.

This error is all my own fault and I take full responsibility for
it.

A similarly stupid memory exhaustion vulnerability was found in
the qmail SMTP server more than four years ago. It was never fixed.

The patch below applies to any Postfix release that was issued in
the year 2001. Fully patched releases will be made available via
the usual web sites listed in www.postfix.org.

Primary site:

    ftp://ftp.porcupine.org/mirrors/postfix-release/index.html

Releases:

    snapshot-20011114

    postfix-20010228-pl07

Thank you for your attention.

	Wietse

*** ./smtpd.c-	Sun Oct 28 19:31:14 2001
--- ./smtpd.c	Wed Nov 14 22:21:46 2001
***************
*** 1060,1065 ****
--- 1060,1077 ----
      state->where = SMTPD_AFTER_DOT;
  
      /*
+      * Notify the postmaster if there were errors. This usually indicates a
+      * client configuration problem, or that someone is trying nasty things.
+      * Either is significant enough to bother the postmaster. XXX Can't
+      * report problems when running in stand-alone mode: postmaster notices
+      * require availability of the cleanup service.
+      */
+     if (state->history != 0 && state->client != VSTREAM_IN
+ 	&& (state->error_mask & state->notify_mask))
+ 	smtpd_chat_notify(state);
+     smtpd_chat_reset(state);
+ 
+     /*
       * Cleanup. The client may send another MAIL command.
       */
      mail_reset(state);