#623856 String overscan issues in ssmtp (potential for memory corruption)

Package:
ssmtp
Source:
ssmtp
Description:
extremely simple MTA to get mail off the system to a mail hub
Submitter:
Wayne Davison
Date:
2026-02-25 12:47:01 UTC
Severity:
normal
#623856#5
Date:
2011-04-23 18:46:06 UTC
From:
To:
I have a patch that fixes several issues with the parsing of the From
line where a string scan could go off the end or the beginning of the
string.  For instance, if it finds a '(' (on a From line w/o a
'<'...'>' bounded addr), it will scan past the end if no ')' is found.
 If a trailing is ')' is found, it will scan past the beginning if no
'(' is found.  And the trailing-space stripping function has a bug
that makes it unsafe if called on an empty (or white-space only)
string (e.g. the parsing of a From line that has only trailing spaces
could trigger that bug).

In each failure case the code can potentially write a zero byte
somewhere outside of the string's memory, possibly corrupting malloc
pointers or other nearby data.  In the addr_parse() case there is also
the potential to return a random section of memory as the parsed
address.

My patch for these issues is here:  http://opencoder.net/ssmtp-overscan.patch

..wayne..