[exim-dev] [Bug 3059] New: SIGSEGV on SMTP delivery if remot…

Góra strony
Delete this message
Reply to this message
Autor: Exim Bugzilla
Data:  
Dla: exim-dev
Temat: [exim-dev] [Bug 3059] New: SIGSEGV on SMTP delivery if remote badly responds while PIPELINING and CHUNKED is active
https://bugs.exim.org/show_bug.cgi?id=3059

            Bug ID: 3059
           Summary: SIGSEGV on SMTP delivery if remote badly responds
                    while PIPELINING and CHUNKED is active
           Product: Exim
           Version: 4.97
          Hardware: x86
                OS: Linux
            Status: NEW
          Severity: bug
          Priority: medium
         Component: Transports
          Assignee: unallocated@???
          Reporter: wbreyha@???
                CC: exim-dev@???


Got a SIGSEGV today while delivering an EMail from one of our mailinglists to
several recipients... after some debugging and chatting on IRC it boils down to
the following:

If the first (reachable) remote MX host announces
PIPELINING and
CHUNKING
and both is active in the client smtp transport ...

and the destination has 1+ reachable MX RRs

and the first one responds to pipelined
MAIL FROM: bla
RCPT TO: blub
BDAT xxxx
with
250 Ok
550 No....

AND drops the connection before including a return code for the BDAT...

THEN Exim gets confused. It removes the RCPT address it got a 550 for from the
address list, BUT it interprets the state as DEFER (and even logs that).

This is clearly very bad behaviour from the remote side breaking RFCs. Still,
Exim shouldn't crash at least.

debug shows:
read response data: size=396
SMTP<< 250 OK
sync_responses expect rcpt for xxxxxx@???
SMTP<< 550-recipient address ....can't be
550-verified
...
550 Server time: ....
look for one response for BDAT
Calling SSL_read(0x1184450, 0x10a7c30, 4096)
SMTP(closed)<<
ok=0 send_quit=0 send_rset=1 continue_more=0 yield=1 first_address is NULL
SMTP(close)>>
cmdlog: '220:EHLO:250-:STARTTLS:220:EHLO:250-:MAIL|:RCPT|:BDAT:250:550-'
LOG: MAIN
delivering 1rDO48-0000000xxxx-xxxx: just tried mailgate2.xxx.xxx-xxxxx.xx
[xxx.xx.x.x] for xxxx@???: result DEFER
added retry item for T:.....: errno=0 more_errno=0,M flags=2

Now the "1+" MX RR part comes up. Exim tries at the second MX, doesn't even
send a "RCPT TO", because the address list is empty now. Gets a "503 valid RCPT
command must precede BDAT" from the remote side... and crashes while trying to
add an entry to the retry database with an empty address list.

I've full debug "-d+all -M <msg_id>" output available for both the fail/segv
and the working delivery after setting hosts_avoid_pipelining = ... in the smtp
transport and will keep it until this is fixed. Just request it if needed.

--
You are receiving this mail because:
You are on the CC list for the bug.

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-dev.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-dev-unsubscribe@???
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/