Segmentation fault in pigeonhole lib-sieve
The sieve plugin for Thundirbird likes to rapidly compile work in progress sieve scripts to continually give feedback on any errors in the script. This can trigger segmentation faults in lib-sieve with certain pathologically incomplete sieve scripts. One example: #0 tag_comparator_validate (valdtr=0x7f291aa713a0, arg=0x7fff5c3cfa58, cmd=0x7f291aa69360) at sieve-comparators.c:143 143 if ( (*arg)->type != SAAT_STRING ) { Missing separate debuginfos, use: debuginfo-install bzip2-libs-1.0.6-12.el7.x86_64 glibc-2.17-55.el7_0.3.x86_64 sssd-client-1.11.2-68.el7_0.6.x86_64 zlib-1.2.7-13.el7.x86_64 (gdb) list 138 *arg = sieve_ast_argument_next(*arg); 139 140 /* Check syntax: 141 * ":comparator" <comparator-name: string> 142 */ 143 if ( (*arg)->type != SAAT_STRING ) { 144 sieve_argument_validate_error(valdtr, *arg, 145 ":comparator tag requires one string argument, but %s was found", 146 sieve_ast_argument_name(*arg) ); 147 return FALSE; (gdb) print arg $1 = (struct sieve_ast_argument **) 0x7fff5c3cfa58 (gdb) print *arg $2 = (struct sieve_ast_argument *) 0x0 So sieve_ast_argument_next() is returning NULL and we're trying to dereference it without checking. Here's a completely naive attempt at a patch: --- dovecot-2.2.15/dovecot-2.2-pigeonhole-0.4.3/src/lib-sieve/sieve-comparators.c.null 2014-01-01 15:46:39.000000000 -0700 +++ dovecot-2.2.15/dovecot-2.2-pigeonhole-0.4.3/src/lib-sieve/sieve-comparators.c 2014-12-29 14:01:00.233436697 -0700 @@ -140,6 +140,11 @@ static bool tag_comparator_validate /* Check syntax: * ":comparator" <comparator-name: string> */ + if ( *arg == NULL ) { + sieve_argument_validate_error(valdtr, *arg, + ":comparator tag requires one string argument, but none was found"); + return FALSE; + } if ( (*arg)->type != SAAT_STRING ) { sieve_argument_validate_error(valdtr, *arg, ":comparator tag requires one string argument, but %s was found", -- Orion Poplawski Technical Manager 303-415-9701 x222 NWRA, Boulder/CoRA Office FAX: 303-415-9702 3380 Mitchell Lane orion@nwra.com Boulder, CO 80301 http://www.nwra.com
On 12/29/2014 10:02 PM, Orion Poplawski wrote:
The sieve plugin for Thundirbird likes to rapidly compile work in progress sieve scripts to continually give feedback on any errors in the script. This can trigger segmentation faults in lib-sieve with certain pathologically incomplete sieve scripts. One example:
Yes. This is a very straightforward problem.
Here's a completely naive attempt at a patch:
That is a good fix. However, lib-sieve has a utility function for verifications like this and that should have been used. Comparator handling predates this function, so I must have forgot to change comparator validation accordingly, which would have fixed this problem implicitly.
Well, it is fixed now:
http://hg.rename-it.nl/dovecot-2.2-pigeonhole/rev/b6c55ac6460d
Thanks!
Regards,
Stephan.
On 12/30/2014 03:04 PM, Stephan Bosch wrote:
On 12/29/2014 10:02 PM, Orion Poplawski wrote:
The sieve plugin for Thundirbird likes to rapidly compile work in progress sieve scripts to continually give feedback on any errors in the script. This can trigger segmentation faults in lib-sieve with certain pathologically incomplete sieve scripts. One example:
Yes. This is a very straightforward problem.
Here's a completely naive attempt at a patch:
That is a good fix. However, lib-sieve has a utility function for verifications like this and that should have been used. Comparator handling predates this function, so I must have forgot to change comparator validation accordingly, which would have fixed this problem implicitly.
Well, it is fixed now:
http://hg.rename-it.nl/dovecot-2.2-pigeonhole/rev/b6c55ac6460d
Thanks!
Regards,
Stephan.
Excellent, thanks for the quick fix!
-- Orion Poplawski Technical Manager 303-415-9701 x222 NWRA/CoRA Division FAX: 303-415-9702 3380 Mitchell Lane orion@cora.nwra.com Boulder, CO 80301 http://www.cora.nwra.com
participants (2)
-
Orion Poplawski
-
Stephan Bosch