[exim-dev] [Bug 1730] New: another MIME ACL crash

https://bugs.exim.org/show_bug.cgi?id=1730

            Bug ID: 1730
           Summary: another MIME ACL crash
           Product: Exim
           Version: 4.86+ HEAD
          Hardware: x86
                OS: Linux
            Status: NEW
          Severity: bug
          Priority: medium
         Component: ACLs
          Assignee: jgh146exb@???
          Reporter: wbreyha@???
                CC: exim-dev@???

We see some exim (4.86+local fixes) crashes in MIME ACL again.

I already have a couple of -D spool files left since the sending MTA retries
regularly.

The MIME Headers I see in one example are:

--=_4nh2vc18r6
Content-Type: text/plain;
charset=UTF-8;
DelSp="Yes";
format="flowed"
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

....

--=_4nh2vc18r6
Content-Type: application/pdf;
name*=''2015.11.13%20-%20Pr%C3%A4sentation%20GI%20-%20LK.PDF
Content-Disposition: attachment;
filename*=''2015.11.13%20-%20Pr%C3%A4sentation%20GI%20-%20LK.PDF
Content-Transfer-Encoding: base64

....

--=_4nh2vc18r6--


The backtrace of it shows:

#0  0x00000035651336ef in __strlen_sse42 () from /lib64/libc.so.6
#1  0x00000000004b7863 in rfc2231_to_2047 (fname=0x15942df ";", charset=0x0,
len=0x7ffdc7e0b8dc) at mime.c:553
#2  0x00000000004b7ebd in mime_acl_check (acl=0x1547df8 "acl_check_mime",
f=0x1573a30,
    context=0x7ffdc7e0c290, user_msgptr=0x7ffdc7e0c770,
log_msgptr=0x7ffdc7e0c768) at mime.c:716
#3  0x00000000004b834f in mime_acl_check (acl=0x1547df8 "acl_check_mime",
f=0x1573a30, context=0x0,
    user_msgptr=0x7ffdc7e0c770, log_msgptr=0x7ffdc7e0c768) at mime.c:823
#4  0x0000000000479c1c in run_mime_acl (acl=0x1547df8 "acl_check_mime",
smtp_yield_ptr=0x7ffdc7e0d3b8,
    smtp_reply_ptr=0x7ffdc7e0d2e8, blackholed_by_ptr=0x7ffdc7e0d3b0) at
receive.c:1213
#5  0x000000000047d7f6 in receive_msg (extract_recip=0) at receive.c:3280
#6  0x000000000042426a in handle_smtp_call (listen_sockets=0x1554af0,
listen_socket_count=6, accept_socket=9,
    accepted=0x7ffdc7e0d940) at daemon.c:513
#7  0x0000000000427227 in daemon_go () at daemon.c:2040
#8  0x00000000004436ca in main (argc=5, cargv=0x7ffdc7e4e488) at exim.c:4729

The crash seems to happen because:
(gdb) frame 1
#1  0x00000000004b7863 in rfc2231_to_2047 (fname=0x159442f ";", charset=0x0,
len=0x7ffdc7e0b8dc) at mime.c:553
553    val = string_cat(val, &size, &ptr, charset, Ustrlen(charset));

Ustrlen(charset=0x0) is called.

(gdb) frame 2
#2  0x00000000004b7ebd in mime_acl_check (acl=0x1547df8 "acl_check_mime",
f=0x1586100, context=0x7ffdc7e0c290, 
    user_msgptr=0x7ffdc7e0c770, log_msgptr=0x7ffdc7e0c768) at mime.c:716
716            temp_string = rfc2231_to_2047(p, mime_filename_charset, &slen);

looking at how mime_filename_charset is generated it seems the
filename*=''...
part causes it.

--
You are receiving this mail because:
You are on the CC list for the bug.