Segmentation fault in pigeonhole lib-sieve

Orion Poplawski orion at cora.nwra.com
Mon Dec 29 21:02:01 UTC 2014 

The sieve plugin for Thundirbird likes to rapidly compile work in 
progress sieve scripts to continually give feedback on any errors in the 
script.  This can trigger segmentation faults in lib-sieve with certain 
pathologically incomplete sieve scripts.  One example:

#0  tag_comparator_validate (valdtr=0x7f291aa713a0, arg=0x7fff5c3cfa58,
     cmd=0x7f291aa69360) at sieve-comparators.c:143
143		if ( (*arg)->type != SAAT_STRING ) {
Missing separate debuginfos, use: debuginfo-install 
bzip2-libs-1.0.6-12.el7.x86_64 glibc-2.17-55.el7_0.3.x86_64 
sssd-client-1.11.2-68.el7_0.6.x86_64 zlib-1.2.7-13.el7.x86_64
(gdb) list
138		*arg = sieve_ast_argument_next(*arg);
139	
140		/* Check syntax:
141		 *   ":comparator" <comparator-name: string>
142		 */
143		if ( (*arg)->type != SAAT_STRING ) {
144			sieve_argument_validate_error(valdtr, *arg,
145				":comparator tag requires one string argument, but %s was found",
146				sieve_ast_argument_name(*arg) );
147			return FALSE;
(gdb) print arg
$1 = (struct sieve_ast_argument **) 0x7fff5c3cfa58
(gdb) print *arg
$2 = (struct sieve_ast_argument *) 0x0

So sieve_ast_argument_next() is returning NULL and we're trying to 
dereference it without checking.

Here's a completely naive attempt at a patch:

--- 
dovecot-2.2.15/dovecot-2.2-pigeonhole-0.4.3/src/lib-sieve/sieve-comparators.c.null 
2014-01-01 15:46:39.000000000 -0700
+++ 
dovecot-2.2.15/dovecot-2.2-pigeonhole-0.4.3/src/lib-sieve/sieve-comparators.c 
2014-12-29 14:01:00.233436697 -0700
@@ -140,6 +140,11 @@ static bool tag_comparator_validate
  	/* Check syntax:
  	 *   ":comparator" <comparator-name: string>
  	 */
+	if ( *arg == NULL ) {
+		sieve_argument_validate_error(valdtr, *arg,
+			":comparator tag requires one string argument, but none was found");
+		return FALSE;
+	}
  	if ( (*arg)->type != SAAT_STRING ) {
  		sieve_argument_validate_error(valdtr, *arg,
  			":comparator tag requires one string argument, but %s was found",

-- 
Orion Poplawski
Technical Manager                     303-415-9701 x222
NWRA, Boulder/CoRA Office             FAX: 303-415-9702
3380 Mitchell Lane                       orion at nwra.com
Boulder, CO 80301                   http://www.nwra.com

More information about the dovecot mailing list