On 2019/04/17 22:17, Solene Rapenne wrote: > I'm not sure it's a neomutt bug or openbsd specific. > It can be reproduced reliably. > > I have an imap server with a SSL certificate. > If I make a ssh tunnel to forward it locally and that I connect to it through > localhost, SSL certificate is wrong (due to different hostname). > > neomutt asks for rejection or accepting it once. > > If I reject it, neomutt crashes: > > egdb output: > > Program received signal SIGBUS, Bus error. > 0x000008c304af4a3b in SSL_shutdown > (s=0xdfdfdfdfdfdfdfdf) at /usr/src/lib/libssl/ssl_lib.c:1001 > 1001 if (s->internal->handshake_func == NULL) { > (gdb) bt > #0 0x000008c304af4a3b in SSL_shutdown (s=0xdfdfdfdfdfdfdfdf) at > /usr/src/lib/libssl/ssl_lib.c:1001 > #1 0x000008c019ce03ff in ssl_socket_close (conn=0x8c2eeca4000) at > ../neomutt-neomutt-20180716/conn/ssl.c:385 > #2 ssl_socket_close_and_restore (conn=0x8c2eeca4000) at > ../neomutt-neomutt-20180716/conn/ssl.c:710 > #3 0x000008c019cdcd0e in mutt_socket_close (conn=0x8c2eeca4000) at > ../neomutt-neomutt-20180716/conn/socket.c:127 > #4 0x000008c019cd1442 in imap_close_connection (idata=<optimized out>) at > ../neomutt-neomutt-20180716/imap/imap.c:1103 > #5 imap_open_connection (idata=0x8c22d01d800) at > ../neomutt-neomutt-20180716/imap/imap.c:1088 > #6 0x000008c019cd06c3 in imap_conn_find (account=0x7f7ffffcfa30, flags=2) at > ../neomutt-neomutt-20180716/imap/imap.c:970 > #7 0x000008c019cd498e in imap_mbox_open (ctx=0x8c30d7e5000) at > ../neomutt-neomutt-20180716/imap/imap.c:1998 > #8 0x000008c019c693ad in mx_mbox_open (path=<optimized out>, flags=0, > pctx=0x0) at ../neomutt-neomutt-20180716/mx.c:513 > #9 0x000008c019c57e11 in main (argc=1, argv=0x7f7ffffd0c58, envp=<optimized > out>) at ../neomutt-neomutt-20180716/main.c:1101 >
It tries to close the imap connection that never properly opened in the first place, triggering a use-after-free. I've tried it with upstream's development version too, it behaves differently but still crashes. (Diff to build current devel code at https://pbot.rmdir.de/z7OKw2xWAQsFb8WYTIyrtA). Could you report it at https://github.com/neomutt/neomutt/issues please? Mention that your system malloc writes 0xdf bytes over freed memory, which explains the very visible s=0xdfdfdfdfdfdfdfdf in the backtrace.