[Exim] exim 4.22 segfaults with saslauthd condition

Startseite
Nachricht löschen
Nachricht beantworten
Autor: Thomas Hager
Datum:  
To: exim-users
Neue Treads: Re: [Exim] exim 4.22 segfaults with saslauthd condition (again)
Betreff: [Exim] exim 4.22 segfaults with saslauthd condition
--
--
elo,

i experimented with exim's new saslauthd condition.
if i use the feature without specifying service and realm

    ${if saslauthd{{$2}{$3}}{yes}{no}}


exim segfaults in saslauthd_verify_password().

i traced the bug to eval_condition() in expand.c.
in the saslauthd section the sub[] array is passed to
auth_call_saslauthd() without verifying the values returned by
read_subs(). if the condition is called without service and realm,
sub[2] is set to NULL, whereas sub[3] is left undefined ( read_subs()
sets the first non-present item to NULL and returns ).

saslauthd_verify_password() segfaults when accessing sub[3].

i attached a patch to expand.c, which checks the value of sub[2] prior
to calling auth_call_saslauthd(). if sub[2] is NULL, sub[3] is set to
NULL too.

dunno if this is the proper approach, but it works ;-)

best,
tom.

--

Thomas "Duke" Hager         | "Microsoft is not the answer.
duke@{bofh.at,1012surf.net} |  Microsoft is the question.
thomas.hager@???   |  NO is the answer."
                                       Erik Naggum.




--
--- exim-4.22/src/expand.c    Mon Aug 18 14:52:54 2003
+++ exim-4.22.hack/src/expand.c    Fri Aug 29 15:44:25 2003
@@ -1462,6 +1462,9 @@
   if (yield != NULL)
     {
     int rc;
+
+    if ( sub[2] == NULL ) sub[3] = NULL;
+
     rc = auth_call_saslauthd(sub[0], sub[1], sub[2], sub[3],
       &expand_string_message);
     if (rc == ERROR || rc == DEFER) return NULL;
--
Content-Description: This is a digitally signed message part


[ signature.asc of type application/pgp-signature deleted ]
--