Bug#348747: fetchmail: segfault when submitting dsn to local postmaster

Wed, 18 Jan 2006 18:50:15 -0800 

"Nathaniel W. Turner" <[EMAIL PROTECTED]> writes:

> After upgrading to 6.3.1-4, fetchmail dies with a segmentation fault
> after trying to process the first message.  The transcript of the
> session, a sanitized fetchmailrc, and the message in question are
> attached to this report.

Thank you for the bug report. It turns out the closer circumstances of
the bounce wouldn't matter; valgrind quickly pinpointed the bug to a
bogus free() call.

I broke this when I removed alloca() and added the necessary free()
code. My code tried to decrement a pointer address before dereferencing,
rather than decrementing the dereferenced pointer; this resulted in
frequent segfaults on machines that support unaligned access and bus
errors on those that don't (SPARC). Turns out the fix is rather simple.

(Attached.)

Note the patch has had little testing (it fixes the immediate valgrind
problem and looks less stupid). Please test and report.

Kind regards,

-- 
Matthias Andree

Index: NEWS
===================================================================
--- NEWS	(revision 4651)
+++ NEWS	(revision 4652)
@@ -60,6 +60,9 @@
 * Add missing --help text for "--sslcertck" option. Matthias Andree.
 * fetchmailconf.py: Accept --help and --version. Matthias Andree.
 * fetchmail --version  now prints the copyright notice. Matthias Andree.
+* Fix segfault or bus error after bouncing a message.  This bug was introduced
+  into 6.3.0 when removing alloca(); it caused fetchmail to free random memory.
+  Reported by Nathaniel W. Turner, Debian Bug#348747. Fix: Matthias Andree.
 
 fetchmail 6.3.1 (released 2005-12-19):
 
Index: sink.c
===================================================================
--- sink.c	(revision 4651)
+++ sink.c	(revision 4652)
@@ -984,14 +984,19 @@
 #ifdef EXPLICIT_BOUNCE_ON_BAD_ADDRESS
     /*
      * This should not be necessary, because the SMTP listener itself
-     * should genrate a bounce for the bad address.
+     * should generate a bounce for the bad address.
+     *
+     * XXX FIXME 2006-01-19: is this comment true? I don't think
+     * it is, because the SMTP listener isn't required to accept bogus
+     * messages. There appears to be general SMTP<->MDA and
+     * responsibility confusion.
      */
     if (*bad_addresses)
 	send_bouncemail(ctl, msg, XMIT_RCPTBAD,
 			"Some addresses were rejected by the MDA fetchmail forwards to.\r\n",
 			*bad_addresses, from_responses);
     while (*bad_addresses)
-	free(from_responses[*--bad_addresses]);
+	free(from_responses[--*bad_addresses]);
     free(from_responses);
 #endif /* EXPLICIT_BOUNCE_ON_BAD_ADDRESS */

Reply via email to