[Imap-uw] imap-2007d - tmail segfault and proposed fix

Thu, 27 Nov 2008 09:06:35 -0800

I built imap-2007d dmail and tmail last week in response to the recent security advisory. I have found that, on the SPARC Solaris 10 system that I currently use as a mail server, tmail segfaults when the "-I" option is used. 

The fault was manifesting at line 513 in tmail.c:

  sprintf (tmp,"%s appending to %.80s (%s %.80s)",
           prt ? prt->dtb->name : "default",mailbox,
           ((sbuf.st_mode & S_IFMT) == S_IFDIR) ? "directory" : "file",path);

prt is non-NULL, but prt->dtb is NULL.
I tracked back from the function deliver_safely() to deliver(), where the pointer comes from the variable "ds". ds is only explicitly set if "dv" is non-NULL at line 368. If no dv has been imputed from the mailbox name then ds is passed uninitialised into deliver_safely() at line 376.
On a Solaris 9 machine the uninitialised ds seems to be zeroed by default. When the same binary is run on a Solaris 10 system it contains the value 0x114fec. I have modified the sources to explicitly zero initialize ds and dv, and the resulting code now works on my machine (dv seems to "happen" to be zero anyway, but I thought it prudent to be explicit about both pointers). 

--- src/tmail/tmail.c.orig      2008-10-30 21:59:39.000000000 +0000
+++ src/tmail/tmail.c   2008-11-27 16:56:59.000000000 +0000
@@ -275,7 +275,7 @@

 int deliver (FILE *f,unsigned long msglen,char *user)
 {
-  MAILSTREAM *ds;
+  MAILSTREAM *ds = 0;
   char *s,*t,*mailbox,tmp[MAILTMPLEN],path[MAILTMPLEN];
   struct passwd *pwd;
   STRING st;
@@ -328,7 +328,7 @@
                 ((inbox[2] == 'B') || (inbox[2] == 'b')) &&
                 ((inbox[3] == 'O') || (inbox[3] == 'o')) &&
((inbox[4] == 'X') || (inbox[4] == 'x')) && !inbox[5])) { 
-    DRIVER *dv;
+    DRIVER *dv = 0;
                                /* "-I #driver.xxx/name"? */
     if ((*inbox == '#') && ((inbox[1] == 'd') || (inbox[1] == 'D')) &&
        ((inbox[2] == 'r') || (inbox[2] == 'R')) &&



Regards,
--
Neil Hoggarth -------------- Department of Physiology, Anatomy and Genetics
Head of IT --------------------------------------- University of Oxford, UK

_______________________________________________
Imap-uw mailing list
[email protected]
http://mailman2.u.washington.edu/mailman/listinfo/imap-uw

Reply via email to