[Dbmail-dev] [DBMail 0001089]: dbmail 3.2.3 crashes db_findmailbox

[Mantis Bug Tracker]

The following issue has been SUBMITTED. 
====================================================================== 
http://dbmail.org/mantis/view.php?id=1089 
====================================================================== 
Reported By:                AndroSyn
Assigned To:                
====================================================================== 
Project:                    DBMail
Issue ID:                   1089
Category:                   IMAP daemon
Reproducibility:            sometimes
Severity:                   crash
Priority:                   urgent
Status:                     new
Target Version:             3.2.0
target:                      
====================================================================== 
Date Submitted:             01-Sep-17 18:49 CEST
Last Modified:              01-Sep-17 18:49 CEST
====================================================================== 
Summary:                    dbmail 3.2.3 crashes db_findmailbox
Description: 
If db_findmailbox is passed a empty string, the imap daemon crashes.  I've
attached a patch that checks for empty strings.

==114510==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x602000019cef at pc 0x7fc49283d4ef bp 0x7fc485dd4a20 sp 0x7fc485dd4a18
READ of size 1 at 0x602000019cef thread T10
    http://dbmail.org/mantis/view.php?id=0 0x7fc49283d4ee in db_findmailbox
/home/asethman/dbmail-3.2.3/src/dm_db.c:2126
    http://dbmail.org/mantis/view.php?id=1 0x7fc494fcec62 in
imap_session_mailbox_open
/home/asethman/dbmail-3.2.3/src/imapcommands.c:380
    http://dbmail.org/mantis/view.php?id=2 0x7fc494fcec62 in _ic_select_enter
/home/asethman/dbmail-3.2.3/src/imapcommands.c:674
    http://dbmail.org/mantis/view.php?id=3 0x7fc493cd231a 
(/lib64/libglib-2.0.so.0+0x3700e6c31a)
    http://dbmail.org/mantis/view.php?id=4 0x7fc493cd03e3 
(/lib64/libglib-2.0.so.0+0x3700e6a3e3)
    http://dbmail.org/mantis/view.php?id=5 0x7fc492399aa0 in start_thread
(/lib64/libpthread.so.0+0x36ff607aa0)
    http://dbmail.org/mantis/view.php?id=6 0x7fc491ed0bcc in __clone
(/lib64/libc.so.6+0x36ff2e8bcc)

0x602000019cef is located 1 bytes to the left of 1-byte region
[0x602000019cf0,0x602000019cf1)
allocated by thread T10 here:
    http://dbmail.org/mantis/view.php?id=0 0x7fc494f7e400 in
__interceptor_malloc
../../.././libsanitizer/asan/asan_malloc_linux.cc:62
    http://dbmail.org/mantis/view.php?id=1 0x7fc493cafd44 in g_malloc
(/lib64/libglib-2.0.so.0+0x3700e49d44)

Thread T10 created by T0 here:
    http://dbmail.org/mantis/view.php?id=0 0x7fc494edbba0 in
__interceptor_pthread_create
../../.././libsanitizer/asan/asan_interceptors.cc:243
    http://dbmail.org/mantis/view.php?id=1 0x7fc4941870ad 
(/lib64/libgthread-2.0.so.0+0x37022020ad)

SUMMARY: AddressSanitizer: heap-buffer-overflow
/home/asethman/dbmail-3.2.3/src/dm_db.c:2126 in db_findmailbox
Shadow bytes around the buggy address:
  0x0c047fffb340: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c047fffb350: fa fa fd fa fa fa fd fa fa fa fd fd fa fa fd fd
  0x0c047fffb360: fa fa fd fa fa fa fd fd fa fa fd fa fa fa fd fa
  0x0c047fffb370: fa fa fd fd fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c047fffb380: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fd
=>0x0c047fffb390: fa fa fd fd fa fa fd fa fa fa fd fd fa[fa]01 fa
  0x0c047fffb3a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fffb3b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fffb3c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fffb3d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fffb3e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==114510==ABORTING

====================================================================== 

Issue History 
Date Modified    Username       Field                    Change               
====================================================================== 
01-Sep-17 18:49  AndroSyn       New Issue                                    
01-Sep-17 18:49  AndroSyn       File Added: imapd-nullstring-fix.diff           
        
======================================================================

_______________________________________________
Dbmail-dev mailing list
Dbmail-dev@dbmail.org
http://lists.nfg.nl/mailman/listinfo/dbmail-dev