tag 533006 pending thanks [2009-06-13 19:56] Andreas Hoenen <andr...@hoenen-terstappen.de> > Package: masqmail > Version: 0.2.21-6 > Severity: important
> After upgrading masqmail 0.2.21-5 to 0.2.21-6, masqmail segfaults when trying
> to
> deliver queued mails:
>
> Jun 13 19:33:05 manetheren masqmail[16167]: Starting queue run.
> Jun 13 19:33:05 manetheren kernel: [ 1983.224568] masqmail[16167]: segfault
> at 0 ip 805706d sp ff965910 error 4 in masqmail[8048000+1c000]
> Jun 13 19:33:05 manetheren masqmail[16166]: process with pid 16167 got
> signal: 11
>
> Reverting to 0.2.21-5 resolves the problem, as well as rebuilding 0.2.21-6
> with
> the 0.2.21-5 version of file online.c. When looking at the changes between -5
> and -6 for this file, it seems that masqmail tries to determine the length of
> an
> uninitialized string (l.39):
>
> 25 static
> 26 gchar *detect_online_pipe(const gchar *pipe)
> 27 {
> 28 pid_t pid;
> 29 void (*old_signal)(int);
> 30 int status;
> 31 FILE *in;
> 32 gchar *name = NULL;
>
> 33 old_signal = signal(SIGCHLD, SIG_DFL);
>
> 34 in = peopen(pipe, "r", environ, &pid);
> 35 if(in != NULL){
> 36 gchar output[256];
> 37 if(fgets(output, 255, in)){
> 38 g_strchomp(g_strchug(output));
> 39 if (strlen(name) == 0) { /* <- !!! SUSPICIOUS !!! */
> 40 logwrite(LOG_ALERT, "only whitespace connection name\n");
> 41 name = NULL;
> 42 } else {
> 43 name = g_strdup(output);
> 44 }
> 45 } else {
> 46 logwrite(LOG_ALERT, "nothing read from pipe %s\n", pipe);
> 47 name = NULL;
> 48 }
Thanks for this excellent bug report!
I'm deeply ashamed for this bug. The length must get determined from
`output' instead of `name'. Unfortunately, the bug appeared during a
by-hand code transfer, sorry. Next time I better create a patch and
apply it, even for few lines.
meillo
signature.asc
Description: Digital signature
