https://bugs.exim.org/show_bug.cgi?id=1835
Bug ID: 1835
Summary: Use after free of FILE *smtp_in, *smtp_out in server
process after failed GnuTLS STARTTLS
Product: Exim
Version: 4.87
Hardware: x86
OS: Linux
Status: NEW
Severity: bug
Priority: medium
Component: TLS
Assignee: pdp@???
Reporter: bugzilla.exim.simon@???
CC: exim-dev@???
tls_server_start in tls-gnu.c closes smtp_out and smtp_in:
if (rc != GNUTLS_E_SUCCESS)
{
tls_error(US"gnutls_handshake",
sigalrm_seen ? "timed out" : gnutls_strerror(rc), NULL);
/* It seems that, except in the case of a timeout, we have to close the
connection right here; otherwise if the other end is running OpenSSL it hangs
until the server times out. */
if (!sigalrm_seen)
{
(void)fclose(smtp_out);
(void)fclose(smtp_in);
}
return FAIL;
}
All of the other code after that will assume that it can still use smtp_in and
smtp_out. Depending on the likelihood of the FILE handle data being written it
will crash somewhere, like this call to fflush(smtp_out):
(gdb) bt
#0 0x00007fb345019776 in __GI__IO_fflush (fp=0x55d947c12af0) at iofflush.c:39
#1 0x000055d946d7f54a in handle_smtp_call (accepted=0x7fff121c6aa0,
accept_socket=<optimised out>, listen_socket_count=8,
listen_sockets=0x55d947c17688) at daemon.c:525
#2 daemon_go () at daemon.c:2041
#3 0x000055d946d738cd in main (argc=<optimised out>, cargv=<optimised out>) at
exim.c:4731
(gdb) p *smtp_out
$1 = {_flags = 1919232032, _IO_read_ptr = 0x6c69662064614220 <error: Cannot
access memory at address 0x6c69662064614220>,
_IO_read_end = 0x6972637365642065 <error: Cannot access memory at address
0x6972637365642065>, _IO_read_base = 0x29726f7470 <error: Cannot access memory
at address 0x29726f7470>, _IO_write_base = 0x0,
_IO_write_ptr = 0x431 <error: Cannot access memory at address 0x431>,
_IO_write_end = 0x7fb34536fb78 <main_arena+88> "\260o\rH\331U", _IO_buf_base =
0x55d9480cf910 "", _IO_buf_end = 0x0,
_IO_save_base = 0x0, _IO_backup_base = 0x55d9480cf920 "\020+\301G\331U",
_IO_save_end = 0x55d9480cf9b4 "", _markers = 0x55d9480d1920, _chain = 0x0,
_fileno = 1208817952, _flags2 = 21977,
_old_offset = 0, _cur_column = 0, _vtable_offset = 0 '\000', _shortbuf = "",
_lock = 0x0, _offset = 0, __pad1 = 0x0, __pad2 = 0x47c12be0, __pad3 = 0x0,
__pad4 = 0x0, __pad5 = 94391700106272,
_mode = -1, _unused2 = '\000' <repeats 12 times>,
"\377\377\377\377\377\377\377\377"}
(gdb) p *smtp_in
$2 = {_flags = -72539124, _IO_read_ptr = 0x0, _IO_read_end = 0x0, _IO_read_base
= 0x0, _IO_write_base = 0x0, _IO_write_ptr = 0x0, _IO_write_end = 0x0,
_IO_buf_base = 0x0, _IO_buf_end = 0x0,
_IO_save_base = 0x1e1 <error: Cannot access memory at address 0x1e1>,
_IO_backup_base = 0x7fb34536fd48 <main_arena+552> "8\375\066E\263\177",
_IO_save_end = 0x7fb34536fd48 <main_arena+552> "8\375\066E\263\177", _markers
= 0x0, _chain = 0x7fb345370540 <_IO_2_1_stderr_>, _fileno = -1, _flags2 = 0,
_old_offset = 0, _cur_column = 0,
_vtable_offset = 0 '\000', _shortbuf = "", _lock = 0x55d947c12e00, _offset =
-1, __pad1 = 0x0, __pad2 = 0x55d947c12e10, __pad3 = 0x0, __pad4 = 0x0, __pad5 =
0, _mode = 0,
_unused2 = '\000' <repeats 19 times>}
--
You are receiving this mail because:
You are on the CC list for the bug.
