Bug 8100 - well-placed '\0' in mail text renders mailx unusable
Summary: well-placed '\0' in mail text renders mailx unusable
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: mailx
Version: 6.1
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Florian La Roche
QA Contact:
URL:
Whiteboard:
: 3719 6859 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2000-01-01 21:29 UTC by Jeff Trawick
Modified: 2008-05-01 15:37 UTC (History)
0 users

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2000-02-03 22:46:48 UTC
Embargoed:


Attachments (Terms of Use)

Description Jeff Trawick 2000-01-01 21:29:58 UTC
The mail command (all versions, including what ships with RH 6.0 and
RH 6.1) is vulnerable to a binary zero in the first byte of a line
of a mail message.  When compiled with -O2 it gets a segmentation
violation.  Of course this is a bogus mail message but some software
generates it as I received SPAM recently that had '\0' in the magic
place and was unable to use the mail command.

When -O2 was not used at compilation, the segmentation violation did not
occur.

I have attached a diff below showing one possible fix.  For this diff,
fio.c.old is the version with all shipped patches applied from
mailx-8.1.1-9.src.rpm.

Basically, the fix is to guarantee that there is at least one non-'\0'
character in a line read from the message.  If there is not
(i.e., the first char is '\0') two problems occur:
1) count is zero, so "linebuf[count - 1] = 0" overlays the local
variable "FILE *mestmp", causing a subsequent write to that file to
get a segmentation violation since mestmp is invalid (this seems to
occur only with -O2)
2) the manipulation of the message requires that there is some text
in each line; an empty stored line is treated as the end of all
messages.


[root@k5 mailx-8.1.1]# diff -C 4 fio.c.old fio.c
*** fio.c.old   Fri Dec 31 16:00:49 1999
--- fio.c       Sat Jan  1 16:12:06 2000
***************
*** 99,113 ****
                        }
                        makemessage(mestmp);
                        return;
                }
                count = strlen(linebuf);
                (void) fwrite(linebuf, sizeof *linebuf, count, otf);
                if (ferror(otf)) {
                        perror("/tmp");
                        exit(1);
                }
!               linebuf[count - 1] = 0;
                if (maybe && linebuf[0] == 'F' && ishead(linebuf)) {
                        msgCount++;
                        if (append(&this, mestmp)) {
                                perror("temporary file");
--- 99,128 ----
                        }
                        makemessage(mestmp);
                        return;
                }
+               /*
+                * In case we read some non-text, make sure there is
+                * at least one char before '\0'.  Otherwise, we'll
+                * blow up later.
+                */
+
+               if (linebuf[0] == '\0')
+                 linebuf[0] = '.';
+
                count = strlen(linebuf);
                (void) fwrite(linebuf, sizeof *linebuf, count, otf);
                if (ferror(otf)) {
                        perror("/tmp");
                        exit(1);
                }
!
!               /*
!                * zap '\n' at end of line if there is one;
!                * there won't be one if line length is >= than LINESIZE;
!                */
!               if (linebuf[count - 1] == '\n')
!                       linebuf[count - 1] = 0;
                if (maybe && linebuf[0] == 'F' && ishead(linebuf)){
                        msgCount++;
                        if (append(&this, mestmp)) {
                                perror("temporary file");
[root@k5 mailx-8.1.1]#

Comment 1 Bill Nottingham 2000-01-03 16:07:59 UTC
*** Bug 3719 has been marked as a duplicate of this bug. ****** Bug 6859 has been marked as a duplicate of this bug. ***

Comment 2 Elliot Lee 2000-02-03 22:46:59 UTC
I've applied your patch in mailx-8.1.1-10


Note You need to log in before you can comment on or make changes to this bug.