https://bugs.exim.org/show_bug.cgi?id=2239
Bug ID: 2239
Summary: segfault when processing control = utf8_downconvert
Product: Exim
Version: 4.90
Hardware: x86-64
OS: Linux
Status: NEW
Severity: bug
Priority: medium
Component: ACLs
Assignee: jgh146exb@???
Reporter: gedalya@???
CC: exim-dev@???
This seems to happen no matter where I put this modifier.
I'm not that familiar with gdb so if more is needed in that realm please treat
me like a dummy.
This is a custom-built exim, reproduced the issue on Debian stretch and buster
(testing).
# exim -bV
Exim version 4.90_1 #2 built 10-Feb-2018 12:45:40
Copyright (c) University of Cambridge, 1995 - 2017
(c) The Exim Maintainers and contributors in ACKNOWLEDGMENTS file, 2007 - 2017
Berkeley DB: Berkeley DB 5.3.28: (September 9, 2013)
Support for: crypteq iconv() IPv6 GnuTLS Content_Scanning DKIM DNSSEC Event
I18N OCSP PRDR SOCKS TCP_Fast_Open
Lookups (built-in): lsearch wildlsearch nwildlsearch iplsearch mysql
Authenticators: dovecot plaintext
Routers: accept dnslookup manualroute redirect
Transports: appendfile autoreply lmtp pipe smtp
Fixed never_users: 0
Configure owner: 0:0
Size of off_t: 8
Configuration file is /etc/exim4/exim4.conf
Starting program: /usr/sbin/exim -bh 127.0.0.1
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
**** SMTP testing session as if from host 127.0.0.1
**** but without any ident (RFC 1413) callback.
**** This is not for real!
>>> host in hosts_connection_nolog? no (option unset)
>>> host in host_lookup? yes (matched "*")
>>> looking up host name for 127.0.0.1
>>> IP address lookup yielded "localhost"
>>> local host found for non-MX address
>>> checking addresses for localhost
>>> ::1
>>> 127.0.0.1 OK
>>> host in host_reject_connection? no (option unset)
>>> host in sender_unqualified_hosts? no (option unset)
>>> host in recipient_unqualified_hosts? no (option unset)
>>> host in helo_verify_hosts? no (option unset)
>>> host in helo_try_verify_hosts? no (option unset)
>>> host in helo_accept_junk_hosts? no (option unset)
220 mx2.gedalya.net ESMTP Sun, 11 Feb 2018 10:28:09 -0500
EHLO me
>>> host in dsn_advertise_hosts? no (option unset)
>>> host in pipelining_advertise_hosts? yes (matched "*")
>>> host in auth_advertise_hosts? yes (matched "*")
>>> host in chunking_advertise_hosts? yes (matched "*")
>>> host in tls_advertise_hosts? yes (matched "*")
>>> host in smtputf8_advertise_hosts? yes (matched "*")
250-mx2.gedalya.net Hello localhost [127.0.0.1]
250-SIZE 52428800
250-8BITMIME
250-PIPELINING
250-CHUNKING
250-STARTTLS
250-SMTPUTF8
250 HELP
MAIL FROM: <test@???> SMTPUTF8
>>> using ACL "acl_check_mail"
>>> processing "deny"
>>> message: no HELO given before MAIL command
>>> check condition = ${if def:sender_helo_name {no}{yes}}
>>> = no
>>> deny: condition test failed in ACL "acl_check_mail"
>>> processing "accept"
>>> check control = utf8_downconvert
Program received signal SIGSEGV, Segmentation fault.
acl_check_condition (level=<optimized out>, basic_errno=0x7ffcb78439ec,
log_msgptr=0x7ffcb7843d90, user_msgptr=0x7ffcb7843d98, epp=<synthetic pointer>,
addr=0x0, where=1, cb=0x563f892ebaf8, verb=0) at acl.c:3338
3338 acl.c: No such file or directory.
(gdb) bt full
#0 acl_check_condition (level=<optimized out>, basic_errno=0x7ffcb78439ec,
log_msgptr=0x7ffcb7843d90, user_msgptr=0x7ffcb7843d98, epp=<synthetic pointer>,
addr=0x0, where=1, cb=0x563f892ebaf8, verb=0) at acl.c:3338
p = <optimized out>
arg = 0x563f892ebb18 "utf8_downconvert"
user_message = <optimized out>
log_message = 0x0
rc = 0
sep = -47
#1 acl_check_internal (where=where@entry=1, addr=addr@entry=0x0, s=<optimized
out>, user_msgptr=user_msgptr@entry=0x7ffcb7843d98, log_msgptr=0x7ffcb7843d90)
at acl.c:4079
basic_errno = 0
endpass_seen = 0
fd = <optimized out>
acl = 0x563f892ebae0
acl_name = <optimized out>
ss = <optimized out>
#2 0x0000563f87d04429 in acl_check (where=where@entry=1,
recipient=recipient@entry=0x0, s=<optimized out>,
user_msgptr=user_msgptr@entry=0x7ffcb7843d98,
log_msgptr=log_msgptr@entry=0x7ffcb7843d90) at acl.c:4391
rc = <optimized out>
adb = {next = 0x0, parent = 0x0, first = 0x0, dupof = 0x0, start_router
= 0x0, router = 0x0, transport = 0x0, host_list = 0x0, host_used = 0x400000000,
fallback_hosts = 0x563f87d6909b <string_vformat+1019>, reply = 0x563f87dc0000,
retries = 0x0, address = 0x563f892e7370 "250-SIZE 52428800\r\n", unique =
0x563f87d693ed <string_vformat+1869>
"D\213L$,\211\301D\213D$(\351I\374\377\377H\213|$\030\213\027\203\372/\017\207\350\001",
cc_local_part = 0xffffffffffffffff <error: Cannot access memory at address
0xffffffffffffffff>, lc_local_part = 0x0, local_part = 0x563f87db8d00
"handling%s incoming connection from %s", prefix = 0x7ffcb7843c60 "`R/\211?V",
suffix = 0x563fffffffff <error: Cannot access memory at address
0x563fffffffff>, domain = 0xffffffffffffffff <error: Cannot access memory at
address 0xffffffffffffffff>, address_retry_key = 0x563f87da6e32 "-",
domain_retry_key = 0x7f8f1dd465a0 <_IO_str_chk_jumps> "", current_dir = 0x0,
home_dir = 0x275d94323b8aaf00 <error: Cannot access memory at address
0x275d94323b8aaf00>, message = 0x0, user_message = 0x0, onetime_parent =
0x563f87ff4120 <process_info> "30049 handling incoming connection from
localhost (me) [127.0.0.1]\n", pipe_expandn = 0x563f87d39e11 <skip_comment+33>,
return_filename = 0x563f892f5288 "ail\"", self_hostname = 0x563f892f5260
"test@???", shadow_message = 0x563f87daf690 " ()<>@,;:\\\".[]\177",
cipher = 0x563f87d39f5c <read_local_part+172> "L9\363H\211\307\017\204\270",
ourcert = 0x563f892f5260, peercert = 0x563f87d39e11 <skip_comment+33>, peerdn =
0x18 <error: Cannot access memory at address 0x18>, ocsp = -1993363870,
authenticator = 0x563f892f5270 "", auth_id = 0x563f87d3a15b <read_domain+235>
"L9\355H\211\303\306E", auth_sndr = 0x7ffcb7843d00 "\250=\204\267\374\177",
dsn_orcpt = 0x7ffcb7843db0 "", dsn_flags = -1993363886, dsn_aware = 22079, uid
= 3078897072, gid = 32764, flags = {af_allow_file = 0, af_allow_pipe = 0,
af_allow_reply = 0, af_dr_retry_exists = 0, af_expand_pipe = 0, af_file = 1,
af_gid_set = 1, af_home_expanded = 0, af_initgroups = 0, af_local_host_removed
= 1, af_lt_retry_exists = 0, af_pfr = 0, af_retry_skipped = 1,
af_retry_timedout = 0, af_uid_set = 1, af_hide_child = 0, af_sverify_told = 1,
af_verify_pmfail = 1, af_verify_nsfail = 1, af_homonym = 1, af_verify_routed =
0, af_verify_callout = 1, af_include_affixes = 0, af_cert_verified = 0,
af_pass_message = 1, af_bad_reply = 0, af_tcp_fastopen_conn = 0,
af_tcp_fastopen = 1, af_prdr_used = 0, af_chunking_used = 0, af_force_command =
0, af_utf8_downcvt = 1}, domain_cache = {22079}, localpart_cache =
{2301603410}, mode = 22079, more_errno = -1993363887, delivery_usec = 22079,
basic_errno = 15792, child_count = 46980, return_file = 32764, special_action =
0, transport_return = 21088, prop = {address_data = 0x275d94323b8aaf00 <error:
Cannot access memory at address 0x275d94323b8aaf00>, domain_data = 0x0,
localpart_data = 0x14ef110 <error: Cannot access memory at address 0x14ef110>,
errors_address = 0x0, extra_headers = 0x7ffcb7843db0, remove_headers =
0x7ffcb7843da8 "d\256/\211?V", ignore_error = 0, utf8_msg = 0, utf8_downcvt =
0, utf8_downcvt_maybe = 0}}
addr = 0x0
#3 0x0000563f87d5f0b9 in smtp_setup_msg () at smtp_in.c:4754
mail_args = <optimized out>
errmess = 0x0
oldsignal = <optimized out>
pid = <optimized out>
end = 17
recipient_domain = -1993363868
flags = <optimized out>
g = <optimized out>
user_msg = 0x0
hello = 0x0
was_rej_mail = 1
argv = 0x0
etrn_serialize_key = <optimized out>
recipient = 0x0
s = 0x563f00000005 <error: Cannot access memory at address
0x563f00000005>
c = <optimized out>
etrn_command = <optimized out>
smtp_code = 0x0
sender_domain = 5
orcpt = 0x0
ss = <optimized out>
au = <optimized out>
log_msg = 0x0
was_rcpt = 0
start = 1
rc = <optimized out>
done = 0
toomany = 0
discarded = <optimized out>
last_was_rej_mail = <optimized out>
last_was_rcpt = <optimized out>
reset_point = <optimized out>
__PRETTY_FUNCTION__ = "smtp_setup_msg"
#4 0x0000563f87cfdeb7 in main (argc=3, cargv=0x7ffcb7884408) at exim.c:5164
x = {2130706433, 0, 0, 0}
size = <optimized out>
argv = 0x7ffcb7884408
arg_receive_timeout = -1
arg_smtp_receive_timeout = -1
arg_error_handling = 0
filter_sfd = <optimized out>
filter_ufd = -1
i = <optimized out>
rv = <optimized out>
list_queue_option = <optimized out>
msg_action = 0
msg_action_arg = <optimized out>
namelen = <optimized out>
queue_only_reason = 0
recipients_arg = 3
sender_address_domain = 0
test_retry_arg = <optimized out>
test_rewrite_arg = <optimized out>
arg_queue_only = <optimized out>
bi_option = <optimized out>
checking = <optimized out>
count_queue = <optimized out>
expansion_test = <optimized out>
extract_recipients = <optimized out>
flag_G = <optimized out>
flag_n = <optimized out>
forced_delivery = 0
f_end_dot = <optimized out>
deliver_give_up = 0
list_queue = 0
list_options = <optimized out>
list_config = <optimized out>
local_queue_only = <optimized out>
more = 1
one_msg_action = 0
opt_D_used = <optimized out>
queue_only_set = <optimized out>
receiving_message = <optimized out>
sender_ident_set = <optimized out>
session_local_queue_only = <optimized out>
unprivileged = 0
removed_privilege = <optimized out>
usage_wanted = <optimized out>
verify_address_mode = <optimized out>
verify_as_sender = <optimized out>
version_printed = <optimized out>
alias_arg = <optimized out>
called_as = 0x563f87dce972 ""
cmdline_syslog_name = <optimized out>
start_queue_run_id = <optimized out>
stop_queue_run_id = <optimized out>
expansion_test_message = <optimized out>
ftest_domain = <optimized out>
ftest_localpart = <optimized out>
ftest_prefix = <optimized out>
ftest_suffix = <optimized out>
log_oneline = <optimized out>
malware_test_file = <optimized out>
real_sender_address = <optimized out>
originator_home = 0x563f892f4e48 "/root"
sz = <optimized out>
reset_point = 0x563f892f5260
pw = 0x7f8f1dd4bf00 <resbuf.9774>
statbuf = {st_dev = 20, st_ino = 3, st_nlink = 1, st_mode = 8576,
st_uid = 0, st_gid = 5, __pad0 = 0, st_rdev = 34816, st_size = 0, st_blksize =
1024, st_blocks = 0, st_atim = {tv_sec = 1518362888, tv_nsec = 328588062},
st_mtim = {tv_sec = 1518362888, tv_nsec = 328588062}, st_ctim = {tv_sec =
1518361976, tv_nsec = 364588067}, __glibc_reserved = {0, 0, 0}}
passed_qr_pid = <optimized out>
passed_qr_pipe = <optimized out>
group_list = <error reading variable group_list (value requires 262144
bytes, which is more than max-value-size)>
info_flag = <optimized out>
info_stdout = <optimized out>
rsopts = {0x563f87da9df9 "f", 0x563f87dc9c06 "ff", 0x563f87da487d "r",
0x563f87da4d56 "rf", 0x563f87da4d59 "rff"}
--
You are receiving this mail because:
You are on the CC list for the bug.