Hi, I’ve come across a use after free in sasl calls when authenticating using digest-md5 against an smtp server:
--8<-- free 1 ----------------------------------------------->8--
#0 free_rc4 (text=text@entry=0x21d3460) at digestmd5.c:1227
#1 0x00007f1fa8416b92 in make_client_response (text=text@entry=0x21d3460,
params=params@entry=0x21d3200, oparams=oparams@entry=0x21d18f0) at
digestmd5.c:3613
#2 0x00007f1fa8417039 in digestmd5_client_mech_step2 (oparams=<optimized out>,
clientoutlen=<optimized out>, clientout=<optimized out>,
prompt_need=<optimized out>,
serverinlen=<optimized out>, serverin=<optimized out>, params=0x21d3200,
ctext=<optimized out>) at digestmd5.c:4364
#3 digestmd5_client_mech_step (conn_context=<optimized out>, params=0x21d3200,
serverin=<optimized out>, serverinlen=<optimized out>,
prompt_need=<optimized out>,
clientout=<optimized out>, clientoutlen=<optimized out>, oparams=<optimized
out>)
at digestmd5.c:4558
#4 0x00007f1fa7e6a471 in sasl_client_step (conn=0x21d1080, serverin=<optimized
out>,
serverinlen=<optimized out>, prompt_need=prompt_need@entry=0x7fffc8656330,
clientout=clientout@entry=0x7fffc8656340,
clientoutlen=clientoutlen@entry=0x7fffc865631c)
at client.c:922
#5 0x0000000000492c05 in smtp_auth_sasl (conn=conn@entry=0x210f810,
mechlist=<optimized out>)
at smtp.c:635
#6 0x000000000049339d in smtp_auth (conn=0x210f810) at smtp.c:549
#7 smtp_open (conn=0x210f810) at smtp.c:503
#8 mutt_smtp_send (from=0x210ce70, to=0x210c890, cc=0x0, bcc=0x0,
msgfile=msgfile@entry=0x7fffc8657570
"/tmp/mutt-drift-2428-105237-294724449650828126",
eightbit=1) at smtp.c:311
#9 0x0000000000464a45 in send_message (msg=<optimized out>, msg=<optimized
out>) at send.c:1030
#10 ci_send_message (flags=<optimized out>, flags@entry=0, msg=<optimized out>,
msg@entry=0x0,
tempfile=tempfile@entry=0x0, ctx=0x1f44270, cur=<optimized out>,
cur@entry=0x0) at send.c:1936
#11 0x000000000042201e in mutt_index_menu () at curs_main.c:2161
#12 0x0000000000409253 in main (argc=1, argv=0x7fffc865abe8, environ=<optimized
out>)
at main.c:1274
--8<-- free 2 ----------------------------------------------->8--
#0 free_rc4 (text=0x21d3460) at digestmd5.c:1227
#1 0x00007f1fa8413420 in digestmd5_common_mech_dispose
(conn_context=0x21d3460, utils=0x21d32d0)
at digestmd5.c:1610
#2 0x00007f1fa7e696f8 in client_dispose (pconn=0x21d1080) at client.c:337
#3 0x00007f1fa7e6c414 in sasl_dispose (pconn=0x21693a0) at common.c:849
#4 0x00000000004987c0 in mutt_sasl_conn_close (conn=0x210f810) at
mutt_sasl.c:496
#5 0x00000000004952a3 in mutt_socket_close (conn=conn@entry=0x210f810) at
mutt_socket.c:85
#6 0x000000000049395a in mutt_smtp_send (from=<optimized out>, to=0x210c890,
cc=0x0, bcc=0x0,
msgfile=msgfile@entry=0x7fffc8657570
"/tmp/mutt-drift-2428-105237-294724449650828126",
eightbit=<optimized out>) at smtp.c:357
#7 0x0000000000464a45 in send_message (msg=<optimized out>, msg=<optimized
out>) at send.c:1030
#8 ci_send_message (flags=<optimized out>, flags@entry=0, msg=<optimized out>,
msg@entry=0x0,
tempfile=tempfile@entry=0x0, ctx=0x1f44270, cur=<optimized out>,
cur@entry=0x0) at send.c:1936
#9 0x000000000042201e in mutt_index_menu () at curs_main.c:2161
#10 0x0000000000409253 in main (argc=1, argv=0x7fffc865abe8, environ=<optimized
out>)
at main.c:1274
--8<--------------------------------------------------------->8--
The first one happens during logon, the other when dismantling
the connection. Thus the message is sent successfully, but mutt
crashes every time.
In my test this happens with mutt 1.10+ and cyrus-sasl
2.1.2{6,7}. I did not check earlier versions. The server is a
postfix with cyrus-sasl advertising “LOGIN DIGEST-MD5 PLAIN
CRAM-MD5”. Only SMTP/Submission crashes while IMAPS is fine.
For both mutt and cyrus-sasl the relevant code hasn’t changed in
years. To me it appears that the problem may be masked by very
few mail servers supporting digest-md5 and the fact that some
distros (e. g. Nixos) build cyrus-sasl with “--enable-login”
which changes the preference for authentication mechs.
PS: Bringing this up here because mutt is what crashes for me.
As far as I can see, mutt follows the example code provided
by cyrus-sasl closely so if you prefer I can move the
discussion to the cyrus-sasl list.
Thank you,
Philipp
signature.asc
Description: PGP signature
