Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 8100 - well-placed '\0' in mail text renders mailx unusable
Summary: well-placed '\0' in mail text renders mailx unusable
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: mailx
Version: 6.1
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Florian La Roche
QA Contact:
URL:
Whiteboard:
: 3719 6859 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2000-01-01 21:29 UTC by Jeff Trawick
Modified: 2008-05-01 15:37 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2000-02-03 22:46:48 UTC


Attachments (Terms of Use)

Description Jeff Trawick 2000-01-01 21:29:58 UTC
The mail command (all versions, including what ships with RH 6.0 and
RH 6.1) is vulnerable to a binary zero in the first byte of a line
of a mail message.  When compiled with -O2 it gets a segmentation
violation.  Of course this is a bogus mail message but some software
generates it as I received SPAM recently that had '\0' in the magic
place and was unable to use the mail command.

When -O2 was not used at compilation, the segmentation violation did not
occur.

I have attached a diff below showing one possible fix.  For this diff,
fio.c.old is the version with all shipped patches applied from
mailx-8.1.1-9.src.rpm.

Basically, the fix is to guarantee that there is at least one non-'\0'
character in a line read from the message.  If there is not
(i.e., the first char is '\0') two problems occur:
1) count is zero, so "linebuf[count - 1] = 0" overlays the local
variable "FILE *mestmp", causing a subsequent write to that file to
get a segmentation violation since mestmp is invalid (this seems to
occur only with -O2)
2) the manipulation of the message requires that there is some text
in each line; an empty stored line is treated as the end of all
messages.


[root@k5 mailx-8.1.1]# diff -C 4 fio.c.old fio.c
*** fio.c.old   Fri Dec 31 16:00:49 1999
--- fio.c       Sat Jan  1 16:12:06 2000
***************
*** 99,113 ****
                        }
                        makemessage(mestmp);
                        return;
                }
                count = strlen(linebuf);
                (void) fwrite(linebuf, sizeof *linebuf, count, otf);
                if (ferror(otf)) {
                        perror("/tmp");
                        exit(1);
                }
!               linebuf[count - 1] = 0;
                if (maybe && linebuf[0] == 'F' && ishead(linebuf)) {
                        msgCount++;
                        if (append(&this, mestmp)) {
                                perror("temporary file");
--- 99,128 ----
                        }
                        makemessage(mestmp);
                        return;
                }
+               /*
+                * In case we read some non-text, make sure there is
+                * at least one char before '\0'.  Otherwise, we'll
+                * blow up later.
+                */
+
+               if (linebuf[0] == '\0')
+                 linebuf[0] = '.';
+
                count = strlen(linebuf);
                (void) fwrite(linebuf, sizeof *linebuf, count, otf);
                if (ferror(otf)) {
                        perror("/tmp");
                        exit(1);
                }
!
!               /*
!                * zap '\n' at end of line if there is one;
!                * there won't be one if line length is >= than LINESIZE;
!                */
!               if (linebuf[count - 1] == '\n')
!                       linebuf[count - 1] = 0;
                if (maybe && linebuf[0] == 'F' && ishead(linebuf)){
                        msgCount++;
                        if (append(&this, mestmp)) {
                                perror("temporary file");
[root@k5 mailx-8.1.1]#

Comment 1 Bill Nottingham 2000-01-03 16:07:59 UTC
*** Bug 3719 has been marked as a duplicate of this bug. ****** Bug 6859 has been marked as a duplicate of this bug. ***

Comment 2 Elliot Lee 2000-02-03 22:46:59 UTC
I've applied your patch in mailx-8.1.1-10


Note You need to log in before you can comment on or make changes to this bug.