Package: perdition
Version: 1.19~rc4-4
Severity: important
Tags: upstream patch
Hi,
I have tried to use perdition as a proxy for the sieve protocol.
Unfortunately, whenever an arbitrary user is connecting and
authenticating the corresponding child process is terminated by a SEGFAULT.
I originally discovered this issue in 1.19~rc4-2 and thought it is fixed
in 1.19~rc4-4, but it is NOT the problem with too long credentials.
This is the backtrace:
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7faca09e9700 (LWP 7719)]
0x00007fac9ed2b784 in strcasecmp () from /lib/libc.so.6
(gdb) bt
#0 0x00007fac9ed2b784 in strcasecmp () from /lib/libc.so.6
#1 0x000000000042189f in strcasestr (haystack=0x9febb0 "PLAIN
DIGEST-MD5", needle=0x426cef "PLAIN") at str.c:732
#2 0x00000000004218f6 in strcasedelimword (haystack=0x9febb0 "PLAIN
DIGEST-MD5", needle=0x426cef "PLAIN", delim=0x426ca0 " ") at str.c:761
#3 0x00000000004112d0 in strcaseword (haystack=0x9febb0 "PLAIN
DIGEST-MD5", needle=0x426cef "PLAIN") at str.h:397
#4 0x0000000000411559 in managesieve_out_capability (rs_io=0x9fe930) at
managesieve_out.c:82
#5 0x00000000004115fb in managesieve_out_setup (rs_io=0x9fe930,
eu_io=0x9fc9f0, UNUSED_auth=0x7fff16fed770, UNUSED_tag=0x0) at
managesieve_out.c:135
#6 0x000000000041a9e5 in main (argc=1, argv=0x7fff16fefa68,
envp=0x7fff16fefa78) at perdition.c:968
Further investigation showed something that is IMHO a severe error in
the function strcasestr, which leads to an almost endless loop, running
through memory looking for the needle, until a SEGFAULT stops the show.
Additionally, under certain conditions the function may be unable to
find needle in haystack at all.
There is a patch attached.
-- System Information:
Debian Release: 6.0.4
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.32-5-amd64 (SMP w/1 CPU core)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages perdition depends on:
ii libc6 2.11.3-2
ii libdb4.8 4.8.30-2
ii libgdbm3 1.8.3-9
ii libidn11 1.15-2
ii libpam0g 1.1.1-6.1+squeeze1
ii libpopt0 1.16-1
ii libssl0.9.8 0.9.8o-4squeeze7
ii libvanessa-adt1 0.0.9-1
ii libvanessa-logger0 0.0.10-1.1
ii libvanessa-socket2 0.0.12-1
diff -uwbr a/perdition/str.c b/perdition/str.c
--- a/perdition/str.c 2010-09-01 09:13:30.000000000 +0200
+++ b/perdition/str.c 2012-02-21 11:06:22.000000000 +0100
@@ -728,8 +728,8 @@
haystack_len = strlen(haystack);
needle_len = strlen(needle);
- for (i = 0; haystack_len + i >= needle_len; i++)
- if (!strcasecmp(haystack + i, needle))
+ for (i = 0; haystack_len - i >= needle_len; i++)
+ if (!strncasecmp(haystack + i, needle, needle_len))
return haystack + i;
return NULL;
