Re: mail/neomutt crashes when refusing a cert with wrong hostname

Thu, 18 Apr 2019 12:44:08 -0700 

On 2019/04/17 22:17, Solene Rapenne wrote:
> I'm not sure it's a neomutt bug or openbsd specific. 
> It can be reproduced reliably.
> 
> I have an imap server with a SSL certificate.
> If I make a ssh tunnel to forward it locally and that I connect to it through
> localhost, SSL certificate is wrong (due to different hostname).
> 
> neomutt asks for rejection or accepting it once.
> 
> If I reject it, neomutt crashes:
> 
> egdb output:
> 
> Program received signal SIGBUS, Bus error.
>                        0x000008c304af4a3b in SSL_shutdown 
> (s=0xdfdfdfdfdfdfdfdf) at /usr/src/lib/libssl/ssl_lib.c:1001
> 1001            if (s->internal->handshake_func == NULL) {
> (gdb) bt
> #0  0x000008c304af4a3b in SSL_shutdown (s=0xdfdfdfdfdfdfdfdf) at 
> /usr/src/lib/libssl/ssl_lib.c:1001
> #1  0x000008c019ce03ff in ssl_socket_close (conn=0x8c2eeca4000) at 
> ../neomutt-neomutt-20180716/conn/ssl.c:385
> #2  ssl_socket_close_and_restore (conn=0x8c2eeca4000) at 
> ../neomutt-neomutt-20180716/conn/ssl.c:710
> #3  0x000008c019cdcd0e in mutt_socket_close (conn=0x8c2eeca4000) at 
> ../neomutt-neomutt-20180716/conn/socket.c:127
> #4  0x000008c019cd1442 in imap_close_connection (idata=<optimized out>) at 
> ../neomutt-neomutt-20180716/imap/imap.c:1103
> #5  imap_open_connection (idata=0x8c22d01d800) at 
> ../neomutt-neomutt-20180716/imap/imap.c:1088
> #6  0x000008c019cd06c3 in imap_conn_find (account=0x7f7ffffcfa30, flags=2) at 
> ../neomutt-neomutt-20180716/imap/imap.c:970
> #7  0x000008c019cd498e in imap_mbox_open (ctx=0x8c30d7e5000) at 
> ../neomutt-neomutt-20180716/imap/imap.c:1998
> #8  0x000008c019c693ad in mx_mbox_open (path=<optimized out>, flags=0, 
> pctx=0x0) at ../neomutt-neomutt-20180716/mx.c:513
> #9  0x000008c019c57e11 in main (argc=1, argv=0x7f7ffffd0c58, envp=<optimized 
> out>) at ../neomutt-neomutt-20180716/main.c:1101
> 

It tries to close the imap connection that never properly opened in the
first place, triggering a use-after-free. I've tried it with upstream's
development version too, it behaves differently but still crashes.
(Diff to build current devel code at 
https://pbot.rmdir.de/z7OKw2xWAQsFb8WYTIyrtA).

Could you report it at https://github.com/neomutt/neomutt/issues please?
Mention that your system malloc writes 0xdf bytes over freed memory,
which explains the very visible s=0xdfdfdfdfdfdfdfdf in the backtrace.

Reply via email to