https://bugs.exim.org/show_bug.cgi?id=1730
Bug ID: 1730
Summary: another MIME ACL crash
Product: Exim
Version: 4.86+ HEAD
Hardware: x86
OS: Linux
Status: NEW
Severity: bug
Priority: medium
Component: ACLs
Assignee: jgh146exb@???
Reporter: wbreyha@???
CC: exim-dev@???
We see some exim (4.86+local fixes) crashes in MIME ACL again.
I already have a couple of -D spool files left since the sending MTA retries
regularly.
The MIME Headers I see in one example are:
--=_4nh2vc18r6
Content-Type: text/plain;
charset=UTF-8;
DelSp="Yes";
format="flowed"
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
....
--=_4nh2vc18r6
Content-Type: application/pdf;
name*=''2015.11.13%20-%20Pr%C3%A4sentation%20GI%20-%20LK.PDF
Content-Disposition: attachment;
filename*=''2015.11.13%20-%20Pr%C3%A4sentation%20GI%20-%20LK.PDF
Content-Transfer-Encoding: base64
....
--=_4nh2vc18r6--
The backtrace of it shows:
#0 0x00000035651336ef in __strlen_sse42 () from /lib64/libc.so.6
#1 0x00000000004b7863 in rfc2231_to_2047 (fname=0x15942df ";", charset=0x0,
len=0x7ffdc7e0b8dc) at mime.c:553
#2 0x00000000004b7ebd in mime_acl_check (acl=0x1547df8 "acl_check_mime",
f=0x1573a30,
context=0x7ffdc7e0c290, user_msgptr=0x7ffdc7e0c770,
log_msgptr=0x7ffdc7e0c768) at mime.c:716
#3 0x00000000004b834f in mime_acl_check (acl=0x1547df8 "acl_check_mime",
f=0x1573a30, context=0x0,
user_msgptr=0x7ffdc7e0c770, log_msgptr=0x7ffdc7e0c768) at mime.c:823
#4 0x0000000000479c1c in run_mime_acl (acl=0x1547df8 "acl_check_mime",
smtp_yield_ptr=0x7ffdc7e0d3b8,
smtp_reply_ptr=0x7ffdc7e0d2e8, blackholed_by_ptr=0x7ffdc7e0d3b0) at
receive.c:1213
#5 0x000000000047d7f6 in receive_msg (extract_recip=0) at receive.c:3280
#6 0x000000000042426a in handle_smtp_call (listen_sockets=0x1554af0,
listen_socket_count=6, accept_socket=9,
accepted=0x7ffdc7e0d940) at daemon.c:513
#7 0x0000000000427227 in daemon_go () at daemon.c:2040
#8 0x00000000004436ca in main (argc=5, cargv=0x7ffdc7e4e488) at exim.c:4729
The crash seems to happen because:
(gdb) frame 1
#1 0x00000000004b7863 in rfc2231_to_2047 (fname=0x159442f ";", charset=0x0,
len=0x7ffdc7e0b8dc) at mime.c:553
553 val = string_cat(val, &size, &ptr, charset, Ustrlen(charset));
Ustrlen(charset=0x0) is called.
(gdb) frame 2
#2 0x00000000004b7ebd in mime_acl_check (acl=0x1547df8 "acl_check_mime",
f=0x1586100, context=0x7ffdc7e0c290,
user_msgptr=0x7ffdc7e0c770, log_msgptr=0x7ffdc7e0c768) at mime.c:716
716 temp_string = rfc2231_to_2047(p, mime_filename_charset, &slen);
looking at how mime_filename_charset is generated it seems the
filename*=''...
part causes it.
--
You are receiving this mail because:
You are on the CC list for the bug.