Bug#343836: Security: DoS attack possible - crashes on empty message

Sun, 18 Dec 2005 15:33:06 -0800 

tags 343836 + security
thanks

Steve,

are you using multidrop mode? If so, please test if the attached patch
fixes the bug.  It is an untested backport from 6.3.1-rc1.

If you are not using multidrop mode, please provide your configuration
details (passwords masked!) and a stack backtrace.

-- 
Matthias Andree

--- ./transact.c.orig	2005-11-12 13:44:39.000000000 +0100
+++ ./transact.c	2005-12-19 00:20:05.000000000 +0100
@@ -401,16 +401,14 @@
      * condition the code for sending bouncemail will actually look
      * at the freed storage and coredump...
      */
-    if (msgblk.headers)
-       free(msgblk.headers);
+    xfree(msgblk.headers);
     free_str_list(&msgblk.recipients);
-    if (delivered_to)
-	free(delivered_to);
+    xfree(delivered_to);
 
     /* initially, no message digest */
     memset(ctl->digest, '\0', sizeof(ctl->digest));
 
-    msgblk.headers = received_for = delivered_to = NULL;
+    received_for = NULL;
     from_offs = reply_to_offs = resent_from_offs = app_from_offs = 
 	sender_offs = resent_sender_offs = env_offs = -1;
     oldlen = 0;
@@ -434,8 +432,6 @@
 		if ((n = SockRead(sock, buf, sizeof(buf)-1)) == -1) {
 		    set_timeout(0);
 		    free(line);
-		    free(msgblk.headers);
-		    msgblk.headers = NULL;
 		    return(PS_SOCKET);
 		}
 		set_timeout(0);
@@ -877,11 +873,7 @@
  process_headers:    
 
     if (retain_mail)
-    {
-	free(msgblk.headers);
-	msgblk.headers = NULL;
 	return(PS_RETAINED);
-    }
     if (refuse_mail)
 	return(PS_REFUSED);
     /*
@@ -912,7 +904,7 @@
      * to break it in a way that blackholed mail.  Better to pass
      * the occasional duplicate than to do that...
      */
-    if (MULTIDROP(ctl))
+    if (MULTIDROP(ctl) && msgblk.headers)
     {
 	MD5_CTX context;
 
@@ -1024,8 +1016,7 @@
       ctl->server.envelope && !strcasecmp(ctl->server.envelope, "Delivered-To"))
    {
 	    find_server_names(delivered_to, ctl, &msgblk.recipients);
-       free(delivered_to);
-       delivered_to = NULL;
+	    xfree(delivered_to);
    }
 	else if (received_for)
 	    /*
@@ -1087,9 +1078,6 @@
 	if (outlevel >= O_DEBUG)
 	    report(stdout,
 		   GT_("forwarding and deletion suppressed due to DNS errors\n"));
-	free(msgblk.headers);
-	msgblk.headers = NULL;
-	free_str_list(&msgblk.recipients);
 	return(PS_TRANSIENT);
     }
     else
@@ -1097,12 +1085,7 @@
 	/* set up stuffline() so we can deliver the message body through it */ 
 	if ((n = open_sink(ctl, &msgblk,
 			   &good_addresses, &bad_addresses)) != PS_SUCCESS)
-	{
-	    free(msgblk.headers);
-	    msgblk.headers = NULL;
-	    free_str_list(&msgblk.recipients);
 	    return(n);
-	}
     }
 
     n = 0;
@@ -1224,9 +1207,6 @@
     {
 	report(stdout, GT_("writing RFC822 msgblk.headers\n"));
 	release_sink(ctl);
-	free(msgblk.headers);
-	msgblk.headers = NULL;
-	free_str_list(&msgblk.recipients);
 	return(PS_IOERR);
     }
     else if ((run.poll_interval == 0 || nodetach) && outlevel >= O_VERBOSE && !isafile(2))

Reply via email to