14069 – Buffer overflow in mail(1)

Bug 14069 - Buffer overflow in mail(1)

Summary: Buffer overflow in mail(1)

Status:	Closed FIXED

Alias:	None

Product:	Base System
Classification:	Unclassified
Component:	bin (show other bugs)
Version:	4.0-CURRENT
Hardware:	Any Any

Importance:	Normal Affects Only Me
Assignee:	Mike Heffner

URL:
Keywords:

Depends on:
Blocks:

Reported:	1999-10-01 05:40 UTC by Peter Jeremy
Modified:	2001-06-12 23:40 UTC (History)
CC List:	0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Peter Jeremy 1999-10-01 05:40:01 UTC

	Mail(1) gets SIGSEGV whilst processing mailbox.

Fix: The work-around I implemented was:
	# cd /usr/ports/mail/mutt
	# make
	# make install
	:-)

	I found (and fixed) what appeared to be a number of potential
	buffer overflows in copyin(), nextword() and parse() (all of
	which take char array with no size as an argument).  This
	didn't help.

	Further investigation with gdb shows that skin() reads
	arbitrarily-sized input into a fixed size buffer.  A quick
	fix for this is below.  This fixed my problem with the
	above message, but I don't know if it's safe in general.



Peter
--
Peter Jeremy (VK2PJ)                    peter.jeremy@alcatel.com.au
Alcatel Australia Limited
41 Mandible St                          Phone: +61 2 9690 5019
ALEXANDRIA  NSW  2015                   Fax:   +61 2 9690 5982--5t4Vo0wlalCmJ535CjClM6LmRdSvFY6HCEMFpvOVuOiHlOaD
Content-Type: text/plain; name="file.diff"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="file.diff"

Index: aux.c
===================================================================
RCS file: /home/CVSROOT/src/usr.bin/mail/aux.c,v
retrieving revision 1.4
diff -u -r1.4 aux.c
--- aux.c	1997/07/24 06:56:33	1.4
+++ aux.c	1999/10/01 04:32:09
@@ -456,7 +456,7 @@
 	register char *cp, *cp2;
 	char *bufend;
 	int gotlt, lastsp;
-	char nbuf[BUFSIZ];
+	char *nbuf = alloca(strlen(name));
 
 	if (name == NOSTR)
 		return(NOSTR);
How-To-Repeat: 
	Create a file containing the following (between the '===') and
	feed it to mail with `mail -f file'. (The mail addresses have
	been munged both to protect the guilty and to enable the
	location of the failure to be more accurately identified).

	Mail reports:
Mail version 8.1 6/6/93.  Type ? for help.
"file": 1 message 1 new
zsh: segmentation fault (core dumped)

================================================================
From aZZYZ.XZWZV@ZUZTZSZ.RZQ.ZP Mon Sep 27 18:11:11 1999
Return-Path: <ZOZNZ.MZLZK@ZJZIZHZ.GZF.ZE>
Received: from ZDZCZB.ZAZzZyZ.xZw.Zv (ZuZtZs.ZrZqZpZ.oZn.Zm [139.188.20.1])
	by ZlZkZj.ZiZhZgZ.fZe.Zd (8.9.3/8.9.3) with ESMTP id SAA17296
	for <jeremyp@ZcZbZa.YYXYWYV.YUY.TY>; Mon, 27 Sep 1999 18:11:10 +1000 (EST)
	(envelope-from SYRYQ.YPYOY@NYMYLYK.YJY.IY)
Received: from HYGY.FYE.YDYCYBY.AYz.Yy (mfg1 [139.188.23.1]) by YxYwYv.YuYtYsY.rYq.Yp (8.8.8/8.7.3) with ESMTP id SAA15285 for <jeremyp@YoYnYm.YlYkYjY.iYh.Yg>; Mon, 27 Sep 1999 18:11:10 +1000 (EST)
Received: from YfYeYd.YcYbYaX.XWX.VX by UXT.XSXRXQX.PXO.XN
 (PMDF V5.2-32 #37641) with ESMTP id <01JGH2YWZRSWBL6YMG@XMX.LXKXJXI.XHX.GX>
 for jeremyp@FXEXDX.CXBXAXz.XyX.xX (ORCPT rfc822;wXvXu.XtXsXr@XqXpXoX.nXm.Xl)
 ; Mon, 27 Sep 1999 18:09:45 +1000
Received: (from prdadm@localhost)
 by XkXjXi.XhXgXfX.eXd.Xc (AIX4.3/UCB 8.8.8/8.8.8)
 id SAA27452 for XbXaW.WVWUWT@WSWRWQW.PWO.WN; Mon, 27 Sep 1999 18:05:26 +1000
Date: Mon, 27 Sep 1999 18:05:26 +1000
From: WMWLW.KWJWI@WHWGWFW.EWD.WC (KYLIE SMITH)
Subject: Notification of future termination xxxxxxxx
To: WBW_AWzWyWxW@wWvWuW.tWsWrWq.WpW.oW
To: nWm_WlWkWjWi@WhWgWf.WeWdWcW.bWa.VV
To: UVT_VS@VRVQVP.VOVNVMV.LVK.VJ
To: VIV_HVGVFVE@VDVCVB.VAVzVyV.xVw.Vv
To: VuV_tVsVrVqV@pVoVnV.mVlVkVj.ViV.hV
To: gVf_VeVdV@cVbVaU.UTUSURU.QUP.UO
To: UNU_MULUKU@JUIUHU.GUFUEUD.UCU.BU
To: AUz_UyUxUw@UvUuUt.UsUrUqU.pUo.Un
To: UmU_lU@kUjUiU.hUgUfUe.UdU.cU
To: bUa_TTSTRTQT@PTOTNT.MTLTKTJ.TIT.HT
To: GTFTETDT.CTBTAT@zTyTxTw.TvT.uT
To: tTsTr.TqTpTo@TnTmTlT.kTj.Ti
To: ThTgTfT.eTdTcT@bTaSSRS.QSP.SO
To: SNSMSLSKSJ.SISHSGS@FSESDSC.SBS.AS
To: zSySxSwS.vSuStS@sSrSqSp.SoS.nS
To: mSlSkS.jS@iShSgSf.SeS.dS
To: cSbS.aRRQR@PRORNRM.RLR.KR
To: JRIRH.RGR@FRERDRC.RBR.AR
To: zRyRx.RwRv@RuRtRsR.rRq.Rp
To: RoRnRmRl.RkRjRi@RhRgRfR.eRd.Rc
To: RbRa.QQPQOQNQ@MQLQKQJ.QIQ.HQ
To: GQFQEQDQCQ.BQAQzQy@QxQwQvQ.uQt.Qs
To: QrQqQp.QoQnQmQ@lQkQjQi.QhQ.gQ
To: fQeQdQcQbQa.PPOPNPMPLP@KPJPIPH.PGP.FP
To: EPDPCPBP.APzP@yPxPwPv.PuP.tP
To: sPr.PqPpP@oPnPmPl.PkP.jP
To: iPhPgP.fPePd@PcPbPaO.ONO.MO
To: LOK.OJO@IOHOGOF.OEO.DO
To: COBO.AOzOyOxOw@OvOuOtO.sOr.Oq
To: OpOoOn.OmOlOkOjOiOhO@gOfOeOd.OcO.bO
To: aNNMN.LNKNJN@INHNGNF.NEN.DN
To: CNBNA.NzNyN@xNwNvNu.NtN.sN
To: rNqN.pNoNnNmN@lNkNjNi.NhN.gN
To: fNeN.dNcNb@NaMMLMK.MJM.IM
Reply-to: HMGMF.MEMDM@CMBMAMz.MyM.xM (KYLIE SMITH)
Message-id: <wMvMuMtMsMrM.qMp27452@MoMnMm.MlMkMjM.iMh.Mg>
MIME-version: 1.0
X-Mailer: SAP R/3 Internet Mail Gateway 3.1I8
Content-type: TEXT/PLAIN; CHARSET="ISO-8859-1"
Content-transfer-encoding: 7BIT

Termination Date : 01.10.1999

Employee No: xxxxxxxx UPI: ZZxxxxxxx
Employee Name : Xxxxx Xxxxxxx Xxxxxx
Work Address : A.2/1F .
Phone Extension :
Position title : xxxxxxxx xxxxxxx xxxxxxxxxx
Department : xxxxxxxxxx xxxxxxxxxx xxxxxxxxxx
Supervisor : Zxxxx Yttttt

================================================================

	Invoking gdb on the core file shows %ebp contains 0x4d492e4d,
	which is "M.IM" after byte reversal.  This appears in the
	last `To:' address above.

Comment 1 ru freebsd_committer

1999-10-01 16:28:49 UTC

On Fri, Oct 01, 1999 at 02:39:16PM +1000, Peter Jeremy wrote:
> 
> >Description:
> 
> 	Mail(1) gets SIGSEGV whilst processing mailbox.
> 
> >How-To-Repeat:
> 
> 	Create a file containing the following (between the '===') and
> 	feed it to mail with `mail -f file'. (The mail addresses have
> 	been munged both to protect the guilty and to enable the
> 	location of the failure to be more accurately identified).
> 
> 	Mail reports:
> Mail version 8.1 6/6/93.  Type ? for help.
> "file": 1 message 1 new
> zsh: segmentation fault (core dumped)
> 
Not for me:

Script started on Fri Oct  1 18:26:18 1999
Mail version 8.1 6/6/93.  Type ? for help.
"file": 1 message 1 new
>N  1 WMWLW.KWJWI@WHWGWFW.  Mon Sep 27 18:11  68/2789  "Notification of futur"
& q
"file" complete

Script done on Fri Oct  1 18:26:20 1999


Could you please gzip and send me your test mbox?


Thanks,
-- 
Ruslan Ermilov		Sysadmin and DBA of the
ru@ucb.crimea.ua	United Commercial Bank,
ru@FreeBSD.org		FreeBSD committer,
+380.652.247.647	Simferopol, Ukraine

http://www.FreeBSD.org	The Power To Serve
http://www.oracle.com	Enabling The Information Age

Comment 2 Mike Heffner freebsd_committer

2001-03-30 06:32:05 UTC

State Changed
From-To: open->feedback

Comment 3 Mike Heffner freebsd_committer

2001-03-30 06:32:05 UTC

Responsible Changed
From-To: freebsd-bugs->mikeh

Comment 4 mheffner 2001-03-30 07:04:30 UTC

I messed up this PR change, the following is what should have been included:

On 30-Mar-2001 mikeh@FreeBSD.org wrote:
| Synopsis: Buffer overflow in mail(1)
| 
| State-Changed-From-To: open->feedback
| State-Changed-By: mikeh
| State-Changed-When: Thu Mar 29 21:32:05 PST 2001
| State-Changed-Why: 

Please test the recent changes I've committed that address multiple overflow
issues.

| Responsible-Changed-From-To: freebsd-bugs->mikeh
| Responsible-Changed-By: mikeh
| Responsible-Changed-When: Thu Mar 29 21:32:05 PST 2001
| Responsible-Changed-Why: 

I've just committed multiple overflow fixes that probably fix this problem.

| 
| http://www.freebsd.org/cgi/query-pr.cgi?pr=14069


Mike

-- 
  Mike Heffner       <mheffner@vt.edu>
  Blacksburg, VA   <mikeh@FreeBSD.org>
  http://filebox.vt.edu/users/mheffner

Comment 5 Mike Heffner freebsd_committer

2001-06-12 23:39:04 UTC

State Changed
From-To: feedback->closed

Fix has been MFCed.