Re: [Mutt] #2684: crash on s/mime verification

Sun, 01 Apr 2007 21:24:48 -0700 

#2684: crash on s/mime verification

Changes (by brendan):

  * owner:  mutt-dev => brendan
  * status:  new => assigned
  * component:  mutt => crypto
  * milestone:  => 1.6

Old description:

> {{{
> I tried to verify an S/MIME signed test mail with GPG encrypted body. But
> I noticed two problems:
> 1) mutt asks for my s/mime password, but it shouldn't need it for
> verification.
> 2) After decrypting the body it crashes.
>
> Program received signal SIGSEGV, Segmentation fault.
> safe_strdup (s=0x2d746e65 <Address 0x2d746e65 out of bounds>) at
> lib.c:214
> 214       if (!s || !*s)
> (gdb) bt
> #0  safe_strdup (s=0x2d746e65 <Address 0x2d746e65 out of bounds>) at
> lib.c:214
> #1  0x080a9ee7 in mutt_write_mime_header (a=0x99fbe60, f=0x99fbe60) at
> sendlib.c:324
> #2  0x080612d5 in _mutt_copy_message (fpout=0x99fbe60, fpin=0x99d2018,
> hdr=0x99d2b48, body=0x99d3020, flags=1024, chflags=770) at copy.c:687
> #3  0x08061a6a in mutt_copy_message (fpout=0x99fbe60, src=0x99422c0,
> hdr=0x99d2b48, flags=1024, chflags=770) at copy.c:742
> #4  0x080c692b in smime_verify_sender (h=0x99d2b48) at smime.c:1174
> #5  0x0805b685 in mutt_display_message (cur=0x99d2b48) at commands.c:185
> #6  0x080663d8 in mutt_index_menu () at curs_main.c:1366
> #7  0x08080b55 in main (argc=4, argv=0xbfaf6184) at main.c:1023
>
> cur is not initialised here:
>
> 687         mutt_write_mime_header (cur, fpout);
>
> so after sendlib.c:308 :
> (gdb) x cur->subtype
> 0xb7fa2000:      "Content-Type: message/Content-Type: message/Content-
> Type: message/Content-Type: message/Content-Type: message/Content-Type:
> message/Content-Type: message/Content-Type: message/Content-Type:
> message/Co"...
> >How-To-Repeat:
> >Fix:
> This patch prevents the crash, but I'm not sure if it is correct or not.
>
> --- mutt-1.5.13/copy.c.old      2007-01-05 00:01:38.000000000 +0200
> +++ mutt-1.5.13/copy.c  2007-01-05 00:01:48.000000000 +0200
> @@ -677,7 +677,7 @@ _mutt_copy_message (FILE *fpout, FILE *f
>
>      if ((WithCrypto & APPLICATION_SMIME)
>          && (flags & M_CM_DECODE_SMIME) && (hdr->security &
> APPLICATION_SMIME)
> -             && hdr->content->type == TYPEAPPLICATION)
> +             && hdr->content->type == TYPEMULTIPART)
>      {
>        if (crypt_smime_decrypt_mime (fpin, &fp, hdr->content, &cur))
>         return (-1);
> }}}

New description:

 I tried to verify an S/MIME signed test mail with GPG encrypted body. But
 I noticed two problems:

 1. mutt asks for my s/mime password, but it shouldn't need it for
 verification.

 2. After decrypting the body it crashes.
 {{{
 Program received signal SIGSEGV, Segmentation fault.
 safe_strdup (s=0x2d746e65 <Address 0x2d746e65 out of bounds>) at lib.c:214
 214       if (!s || !*s)
 (gdb) bt
 #0  safe_strdup (s=0x2d746e65 <Address 0x2d746e65 out of bounds>) at
 lib.c:214
 #1  0x080a9ee7 in mutt_write_mime_header (a=0x99fbe60, f=0x99fbe60) at
 sendlib.c:324
 #2  0x080612d5 in _mutt_copy_message (fpout=0x99fbe60, fpin=0x99d2018,
 hdr=0x99d2b48, body=0x99d3020, flags=1024, chflags=770) at copy.c:687
 #3  0x08061a6a in mutt_copy_message (fpout=0x99fbe60, src=0x99422c0,
 hdr=0x99d2b48, flags=1024, chflags=770) at copy.c:742
 #4  0x080c692b in smime_verify_sender (h=0x99d2b48) at smime.c:1174
 #5  0x0805b685 in mutt_display_message (cur=0x99d2b48) at commands.c:185
 #6  0x080663d8 in mutt_index_menu () at curs_main.c:1366
 #7  0x08080b55 in main (argc=4, argv=0xbfaf6184) at main.c:1023
 }}}
 cur is not initialised here:
 {{{
 687         mutt_write_mime_header (cur, fpout);
 }}}
 so after sendlib.c:308 :
 {{{
 (gdb) x cur->subtype
 0xb7fa2000:      "Content-Type: message/Content-Type: message/Content-
 Type: message/Content-Type: message/Content-Type: message/Content-Type:
 message/Content-Type: message/Content-Type: message/Content-Type:
 message/Co"...
 }}}
 >Fix:
 This patch prevents the crash, but I'm not sure if it is correct or not.
 {{{
 --- mutt-1.5.13/copy.c.old      2007-01-05 00:01:38.000000000 +0200
 +++ mutt-1.5.13/copy.c  2007-01-05 00:01:48.000000000 +0200
 @@ -677,7 +677,7 @@ _mutt_copy_message (FILE *fpout, FILE *f

      if ((WithCrypto & APPLICATION_SMIME)
          && (flags & M_CM_DECODE_SMIME) && (hdr->security &
 APPLICATION_SMIME)
 -             && hdr->content->type == TYPEAPPLICATION)
 +             && hdr->content->type == TYPEMULTIPART)
      {
        if (crypt_smime_decrypt_mime (fpin, &fp, hdr->content, &cur))
         return (-1);
 }}}

-- 
Ticket URL: <http://dev.mutt.org/trac/ticket/2684#comment:1>

Reply via email to