https://bugs.exim.org/show_bug.cgi?id=3059
Bug ID: 3059
Summary: SIGSEGV on SMTP delivery if remote badly responds
while PIPELINING and CHUNKED is active
Product: Exim
Version: 4.97
Hardware: x86
OS: Linux
Status: NEW
Severity: bug
Priority: medium
Component: Transports
Assignee: unallocated@???
Reporter: wbreyha@???
CC: exim-dev@???
Got a SIGSEGV today while delivering an EMail from one of our mailinglists to
several recipients... after some debugging and chatting on IRC it boils down to
the following:
If the first (reachable) remote MX host announces
PIPELINING and
CHUNKING
and both is active in the client smtp transport ...
and the destination has 1+ reachable MX RRs
and the first one responds to pipelined
MAIL FROM: bla
RCPT TO: blub
BDAT xxxx
with
250 Ok
550 No....
AND drops the connection before including a return code for the BDAT...
THEN Exim gets confused. It removes the RCPT address it got a 550 for from the
address list, BUT it interprets the state as DEFER (and even logs that).
This is clearly very bad behaviour from the remote side breaking RFCs. Still,
Exim shouldn't crash at least.
debug shows:
read response data: size=396
SMTP<< 250 OK
sync_responses expect rcpt for xxxxxx@???
SMTP<< 550-recipient address ....can't be
550-verified
...
550 Server time: ....
look for one response for BDAT
Calling SSL_read(0x1184450, 0x10a7c30, 4096)
SMTP(closed)<<
ok=0 send_quit=0 send_rset=1 continue_more=0 yield=1 first_address is NULL
SMTP(close)>>
cmdlog: '220:EHLO:250-:STARTTLS:220:EHLO:250-:MAIL|:RCPT|:BDAT:250:550-'
LOG: MAIN
delivering 1rDO48-0000000xxxx-xxxx: just tried mailgate2.xxx.xxx-xxxxx.xx
[xxx.xx.x.x] for xxxx@???: result DEFER
added retry item for T:.....: errno=0 more_errno=0,M flags=2
Now the "1+" MX RR part comes up. Exim tries at the second MX, doesn't even
send a "RCPT TO", because the address list is empty now. Gets a "503 valid RCPT
command must precede BDAT" from the remote side... and crashes while trying to
add an entry to the retry database with an empty address list.
I've full debug "-d+all -M <msg_id>" output available for both the fail/segv
and the working delivery after setting hosts_avoid_pipelining = ... in the smtp
transport and will keep it until this is fixed. Just request it if needed.
--
You are receiving this mail because:
You are on the CC list for the bug.
--
## subscription configuration (requires account):
##
https://lists.exim.org/mailman3/postorius/lists/exim-dev.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-dev-unsubscribe@???
## Exim details at
http://www.exim.org/
## Please use the Wiki with this list -
http://wiki.exim.org/
