[exim-dev] [Bug 1835] New: Use after free of FILE *smtp_in, …

Top Page
Delete this message
Reply to this message
Author: admin
Date:  
To: exim-dev
New-Topics: [exim-dev] [Bug 1835] Use after free of FILE *smtp_in, *smtp_out in server process after failed GnuTLS STARTTLS, [exim-dev] [Bug 1835] Use after free of FILE *smtp_in, *smtp_out in server process after failed GnuTLS STARTTLS, [exim-dev] [Bug 1835] Use after free of FILE *smtp_in, *smtp_out in server process after failed GnuTLS STARTTLS, [exim-dev] [Bug 1835] Use after free of FILE *smtp_in, *smtp_out in server process after failed GnuTLS STARTTLS, [exim-dev] [Bug 1835] Use after free of FILE *smtp_in, *smtp_out in server process after failed GnuTLS STARTTLS, [exim-dev] [Bug 1835] Use after free of FILE *smtp_in, *smtp_out in server process after failed GnuTLS STARTTLS
Subject: [exim-dev] [Bug 1835] New: Use after free of FILE *smtp_in, *smtp_out in server process after failed GnuTLS STARTTLS
https://bugs.exim.org/show_bug.cgi?id=1835

            Bug ID: 1835
           Summary: Use after free of FILE *smtp_in, *smtp_out in server
                    process after failed GnuTLS STARTTLS
           Product: Exim
           Version: 4.87
          Hardware: x86
                OS: Linux
            Status: NEW
          Severity: bug
          Priority: medium
         Component: TLS
          Assignee: pdp@???
          Reporter: bugzilla.exim.simon@???
                CC: exim-dev@???


tls_server_start in tls-gnu.c closes smtp_out and smtp_in:

if (rc != GNUTLS_E_SUCCESS)
  {
  tls_error(US"gnutls_handshake",
      sigalrm_seen ? "timed out" : gnutls_strerror(rc), NULL);
  /* It seems that, except in the case of a timeout, we have to close the
  connection right here; otherwise if the other end is running OpenSSL it hangs
  until the server times out. */


  if (!sigalrm_seen)
    {
    (void)fclose(smtp_out);
    (void)fclose(smtp_in);
    }


return FAIL;
}

All of the other code after that will assume that it can still use smtp_in and
smtp_out. Depending on the likelihood of the FILE handle data being written it
will crash somewhere, like this call to fflush(smtp_out):

(gdb) bt
#0 0x00007fb345019776 in __GI__IO_fflush (fp=0x55d947c12af0) at iofflush.c:39
#1 0x000055d946d7f54a in handle_smtp_call (accepted=0x7fff121c6aa0,
accept_socket=<optimised out>, listen_socket_count=8,
listen_sockets=0x55d947c17688) at daemon.c:525
#2 daemon_go () at daemon.c:2041
#3 0x000055d946d738cd in main (argc=<optimised out>, cargv=<optimised out>) at
exim.c:4731
(gdb) p *smtp_out
$1 = {_flags = 1919232032, _IO_read_ptr = 0x6c69662064614220 <error: Cannot
access memory at address 0x6c69662064614220>,
_IO_read_end = 0x6972637365642065 <error: Cannot access memory at address
0x6972637365642065>, _IO_read_base = 0x29726f7470 <error: Cannot access memory
at address 0x29726f7470>, _IO_write_base = 0x0,
_IO_write_ptr = 0x431 <error: Cannot access memory at address 0x431>,
_IO_write_end = 0x7fb34536fb78 <main_arena+88> "\260o\rH\331U", _IO_buf_base =
0x55d9480cf910 "", _IO_buf_end = 0x0,
_IO_save_base = 0x0, _IO_backup_base = 0x55d9480cf920 "\020+\301G\331U",
_IO_save_end = 0x55d9480cf9b4 "", _markers = 0x55d9480d1920, _chain = 0x0,
_fileno = 1208817952, _flags2 = 21977,
_old_offset = 0, _cur_column = 0, _vtable_offset = 0 '\000', _shortbuf = "",
_lock = 0x0, _offset = 0, __pad1 = 0x0, __pad2 = 0x47c12be0, __pad3 = 0x0,
__pad4 = 0x0, __pad5 = 94391700106272,
_mode = -1, _unused2 = '\000' <repeats 12 times>,
"\377\377\377\377\377\377\377\377"}
(gdb) p *smtp_in
$2 = {_flags = -72539124, _IO_read_ptr = 0x0, _IO_read_end = 0x0, _IO_read_base
= 0x0, _IO_write_base = 0x0, _IO_write_ptr = 0x0, _IO_write_end = 0x0,
_IO_buf_base = 0x0, _IO_buf_end = 0x0,
_IO_save_base = 0x1e1 <error: Cannot access memory at address 0x1e1>,
_IO_backup_base = 0x7fb34536fd48 <main_arena+552> "8\375\066E\263\177",
_IO_save_end = 0x7fb34536fd48 <main_arena+552> "8\375\066E\263\177", _markers
= 0x0, _chain = 0x7fb345370540 <_IO_2_1_stderr_>, _fileno = -1, _flags2 = 0,
_old_offset = 0, _cur_column = 0,
_vtable_offset = 0 '\000', _shortbuf = "", _lock = 0x55d947c12e00, _offset =
-1, __pad1 = 0x0, __pad2 = 0x55d947c12e10, __pad3 = 0x0, __pad4 = 0x0, __pad5 =
0, _mode = 0,
_unused2 = '\000' <repeats 19 times>}

--
You are receiving this mail because:
You are on the CC list for the bug.