diff options
| author | Matthias Andree <matthias.andree@gmx.de> | 2021-08-26 23:53:14 +0200 |
|---|---|---|
| committer | Matthias Andree <matthias.andree@gmx.de> | 2021-08-27 00:16:12 +0200 |
| commit | 5cca5d1e300a41bda91b983c8ccf7fbb60ccb957 (patch) | |
| tree | cd75e9ea3c40eb833da0448cfb090831f2ec40f4 | |
| parent | 27e6d102926a1d60bff82a7a511acd9cf2a9b76e (diff) | |
| download | fetchmail-5cca5d1e300a41bda91b983c8ccf7fbb60ccb957.tar.gz fetchmail-5cca5d1e300a41bda91b983c8ccf7fbb60ccb957.tar.bz2 fetchmail-5cca5d1e300a41bda91b983c8ccf7fbb60ccb957.zip | |
fetchmail.c: Fix SIGSEGV optmerge()ing "no envelope"
Reported by Bjørn Mork, fixes Debian Bug#992400.
Crash happens inside xstrdup() on a strlen((char *)-1) where
the argument is constant and the trigger is a local trusted
configuration file, so not deemed a vulnerability.
| -rw-r--r-- | NEWS | 5 | ||||
| -rw-r--r-- | fetchmail.c | 2 | ||||
| -rw-r--r-- | fetchmail.h | 2 |
3 files changed, 7 insertions, 2 deletions
@@ -125,6 +125,11 @@ fetchmail-6.4.22 (not yet released): * Fetchmail no longer leaks memory when processing the arguments of --plugin or --plugout on connections. * On POP3 connections, the CAPAbilities parser is now caseblind. +* Fix segfault on configurations with "defaults ... no envelope". Reported by + Bjørn Mork. Fixes Debian Bug#992400. This is a regression in fetchmail 6.4.3 + and happened when plugging memory leaks, which did not account for that the + envelope parameter is special when set as "no envelope". The segfault happens + in a constant strlen(-1), triggered by trusted local input => no vulnerability. # CHANGES: * IMAP: When fetchmail is in not-authenticated state and the server volunteers diff --git a/fetchmail.c b/fetchmail.c index ac8e4607..71ecc1b0 100644 --- a/fetchmail.c +++ b/fetchmail.c @@ -996,7 +996,7 @@ static void optmerge(struct query *h2, struct query *h1, int force) list_merge(&h2->antispam, &h1->antispam, force); #define FLAG_MERGE(fld) do { if (force ? !!h1->fld : !h2->fld) h2->fld = h1->fld; } while (0) -#define STRING_MERGE(fld) do { if (force ? !!h1->fld : !h2->fld) { if (h2->fld) free((void *)h2->fld), h2->fld = 0; if (h1->fld) h2->fld = xstrdup(h1->fld); } } while (0) +#define STRING_MERGE(fld) do { if (force ? !!h1->fld : !h2->fld) { if (h2->fld) free((void *)h2->fld), h2->fld = 0; if (h1->fld) { if (h1->fld != STRING_DISABLED) h2->fld = xstrdup(h1->fld); else h2->fld = STRING_DISABLED; } } } while (0) STRING_MERGE(server.via); FLAG_MERGE(server.protocol); STRING_MERGE(server.service); diff --git a/fetchmail.h b/fetchmail.h index 717ebd6f..d976f481 100644 --- a/fetchmail.h +++ b/fetchmail.h @@ -265,7 +265,7 @@ struct hostdata /* shared among all user connections to given server */ int interval; /* # cycles to skip between polls */ int authenticate; /* authentication mode to try */ int timeout; /* inactivity timout in seconds */ - char *envelope; /* envelope address list header */ + char *envelope; /* envelope address list header - WARNING - can take value STRING_DISABLED (-1)! */ int envskip; /* skip to numbered envelope header */ char *qvirtual; /* prefix removed from local user id */ flag skip; /* suppress poll in implicit mode? */ |