Re: Segmentation fault in xsasl_dovecot_server.c

Sun, 25 Aug 2019 10:23:56 -0700 

Wietse Venema:
> Tim D?sterhus:
> > Yes, I understand that if I'm pretending to be Dovecot that I should
> > talk like Dovecot or at least follow the protocol as documented in
> > Dovecot's Wiki. The protocol error in my implementation is already fixed.
> > 
> > It's just that Postfix never ever crashed on me before and I believe
> > that it should never crash, even when facing protocol errors in talking
> > to an "internal" service. Therefore I reported this issue with what I
> > consider as much information as possible to make it easy enough for you
> > to fix.
> > 
> > I take the patch at the bottom of your email as "this patch is included
> > in the next release" and thus consider this case closed.
> 
> The code was contributed and not subjected to detailed verification.
> It needs more work; during cursory examination I found that smtpd(8)
> will abort after a safety check fails, when the "Dovecot" server
> replies OK without sending username info back to the Dovecot client.
> I'm traveling at the moment and do not have time for a detailed
> analysis.

Updated patch follows. I would appreciate it if someone could verify
that this reports no errors with a real Dovecot server.

        Wietse

20190825

        Bugfix (introduced: 20051222): the Dovecot client could
        segfault (null pointer read) or cause an SMTP server assertion
        to fail when talking to a fake Dovecot server. It now logs
        a proper error instead. File: xsasl/xsasl_dovecot_server.c.

*** ./src/xsasl/xsasl_dovecot_server.c- 2016-01-24 01:50:54.000000000 +0100
--- ./src/xsasl/xsasl_dovecot_server.c  2019-08-25 19:11:02.808234389 +0200
***************
*** 584,593 ****
--- 584,603 ----
            if (xsasl_dovecot_parse_reply(server, &line) == 0) {
                /* authentication successful */
                xsasl_dovecot_parse_reply_args(server, line, reply, 1);
+               if (server->username == 0) {
+                   msg_warn("missing Dovecot server %s username field", cmd);
+                   vstring_strcpy(reply, "Authentication backend error");
+                   return XSASL_AUTH_FAIL;
+               }
                return XSASL_AUTH_DONE;
            }
        } else if (strcmp(cmd, "CONT") == 0) {
            if (xsasl_dovecot_parse_reply(server, &line) == 0) {
+               if (line == 0) {
+                   msg_warn("missing Dovecot server %s reply field", cmd);
+                   vstring_strcpy(reply, "Authentication backend error");
+                   return XSASL_AUTH_FAIL;
+               }
                vstring_strcpy(reply, line);
                return XSASL_AUTH_MORE;
            }

Reply via email to