Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
Bug 8100 - well-placed '\0' in mail text renders mailx unusable
well-placed '\0' in mail text renders mailx unusable
Status: CLOSED RAWHIDE
Product: Red Hat Linux
Classification: Retired
Component: mailx (Show other bugs)
6.1
All Linux
medium Severity medium
: ---
: ---
Assigned To: Florian La Roche
:
: 3719 6859 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2000-01-01 16:29 EST by Jeff Trawick
Modified: 2008-05-01 11:37 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2000-02-03 17:46:48 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jeff Trawick 2000-01-01 16:29:58 EST
The mail command (all versions, including what ships with RH 6.0 and
RH 6.1) is vulnerable to a binary zero in the first byte of a line
of a mail message.  When compiled with -O2 it gets a segmentation
violation.  Of course this is a bogus mail message but some software
generates it as I received SPAM recently that had '\0' in the magic
place and was unable to use the mail command.

When -O2 was not used at compilation, the segmentation violation did not
occur.

I have attached a diff below showing one possible fix.  For this diff,
fio.c.old is the version with all shipped patches applied from
mailx-8.1.1-9.src.rpm.

Basically, the fix is to guarantee that there is at least one non-'\0'
character in a line read from the message.  If there is not
(i.e., the first char is '\0') two problems occur:
1) count is zero, so "linebuf[count - 1] = 0" overlays the local
variable "FILE *mestmp", causing a subsequent write to that file to
get a segmentation violation since mestmp is invalid (this seems to
occur only with -O2)
2) the manipulation of the message requires that there is some text
in each line; an empty stored line is treated as the end of all
messages.


[root@k5 mailx-8.1.1]# diff -C 4 fio.c.old fio.c
*** fio.c.old   Fri Dec 31 16:00:49 1999
--- fio.c       Sat Jan  1 16:12:06 2000
***************
*** 99,113 ****
                        }
                        makemessage(mestmp);
                        return;
                }
                count = strlen(linebuf);
                (void) fwrite(linebuf, sizeof *linebuf, count, otf);
                if (ferror(otf)) {
                        perror("/tmp");
                        exit(1);
                }
!               linebuf[count - 1] = 0;
                if (maybe && linebuf[0] == 'F' && ishead(linebuf)) {
                        msgCount++;
                        if (append(&this, mestmp)) {
                                perror("temporary file");
--- 99,128 ----
                        }
                        makemessage(mestmp);
                        return;
                }
+               /*
+                * In case we read some non-text, make sure there is
+                * at least one char before '\0'.  Otherwise, we'll
+                * blow up later.
+                */
+
+               if (linebuf[0] == '\0')
+                 linebuf[0] = '.';
+
                count = strlen(linebuf);
                (void) fwrite(linebuf, sizeof *linebuf, count, otf);
                if (ferror(otf)) {
                        perror("/tmp");
                        exit(1);
                }
!
!               /*
!                * zap '\n' at end of line if there is one;
!                * there won't be one if line length is >= than LINESIZE;
!                */
!               if (linebuf[count - 1] == '\n')
!                       linebuf[count - 1] = 0;
                if (maybe && linebuf[0] == 'F' && ishead(linebuf)){
                        msgCount++;
                        if (append(&this, mestmp)) {
                                perror("temporary file");
[root@k5 mailx-8.1.1]#
Comment 1 Bill Nottingham 2000-01-03 11:07:59 EST
*** Bug 3719 has been marked as a duplicate of this bug. ****** Bug 6859 has been marked as a duplicate of this bug. ***
Comment 2 Elliot Lee 2000-02-03 17:46:59 EST
I've applied your patch in mailx-8.1.1-10

Note You need to log in before you can comment on or make changes to this bug.