On Fri, Aug 09, 2002 at 02:09:59PM +0100, Philip Hazel wrote:
> On Fri, 9 Aug 2002, Rachel Moore wrote:
>
> > Earlier, a user accidentally put a "#" on the end of an email
> > address in the To: field, which made Exim 3.36 do the following:
> >
> > 2002-08-09 13:10:34 queue run: process 17081 crashed with signal
> > 11 while delivering 17d8ZN-0004QP-00
>
> I cannot reproduce this trivially. Neither with nor without the use of
> -t on the Exim command line.
>
> > bash-2.05a# exim -Mrm 17d8ZN-0004QP-00
> > Bus error
>
> That suggests the spool file got screwed up.
I can do it with a simple: echo foo|exim user@???#
(Exim 3.36 by the way).
And I end up with a spool -H file that has "user@???#"
in the list of recipients list. Reading spool_in.c for Exim 4
eludes that there could be digits and special terminators after
the address (if I've got this right).
Exim 3 type: <address><space><digits>,<digits>,<digits>
Exim 4 first type: <address><space><digits>
Exim 4 new type: <address><space><data>#<type bits>
From Exim 3.36 spool_in.c:
p = big_buffer + nn - 2;
while (isdigit((uschar)*p) || *p == ',') p--;
/* New Exim 4 style */
if (*p == '#')
{
int len;
p--;
while (isdigit((uschar)*p) || *p == ',') p--;
sscanf(p+1, "%d,%d", &len, &pno);
flags = rf_onetime;
p -= len + 1;
*p = 0;
}
So if I've read this right Exim 3.36 meets the # and then the "e"
from domain.example which isn't a digit or a comma, scanf's from
the # for "%d,%d" which aren't going to be there. We then
subtract len + 1 from p and poke a null there. But len is
uninitialised and so where this is is anyone's guess.
In Exim 4.10 there is a similar bit of code, but it has some more
checks and a *(--p) = 0; which if the other if statement fails
means that "user@???#" gets changed to
"user@???<NULL>#" and is unrouteable.
Regards, Matthew
--
Matthew Frost http://www.frost.org/
email: matthew@???
"5 Out of screen, 10:1"
