search for: mailtmplen

...code tree of the server source distribution. The problem occurs due to the routine''s attempt to allow a case insensitive match on the username, which it does by copying the username provided to the routine into an automatic variable in the routine''s stack. The username buffer is MAILTMPLEN long, which defaults to 1024 bytes. Unfortunately, the server''s input buffer is greater than this, allowing a remote client to feed the routine a username greater than 1024 bytes. If the excess characters in this username contain a valid virtual memory address, the routine will overwrite i...