Busybox Sendmail segfaults with multiple inline recipients
vda.linux at googlemail.com
Tue Aug 22 13:54:23 UTC 2017
Fixed in git, thanks
On Sat, Aug 19, 2017 at 1:08 AM, mark <mark-busybox at nysen.com> wrote:
> I came across a bug in the sendmail function of busybox when using the
> "-t" option and including multiple recipients in any of the inline mail
> headers (To, Cc, or Bcc).
> When multiple inline recipients are used within a header, busybox
> segfaults. This appears to be related to memory cleaning via free(). I've
> tested this with the alpine package of busybox (1.24.2 / 1.27.1) and also
> compiling from the busybox master branch on a debian box.
> I'm not a programmer, but the error seems to be related to the free()
> function on line 212 of mailutils/sendmail.c in the master branch.
> To reproduce (using google's mail server):
> $ echo "To: one at nowhere,two at nowhere" | ./busybox sendmail -S
> aspmx.l.google.com -ti
> sendmail: Bad recipient: <one at nowhere>
> sendmail: Bad recipient: <two at nowhere>
> Segmentation fault
> The "Bad recipient" is normal and expected in this case because the mail
> server is rejecting the addresses, but the segfault shouldn't be happening.
> I've tested this with other mail servers where the mails aren't rejected,
> but the segfault still occurs.
> Removing line 212 and recompiling resolves the error, but I assume this
> also removes some memory deallocation. My uneducated and totally wild guess
> is that str is being manipulated on lines 204-206 and then isn't a valid
> target for free(). I've attached a diff which removes that call to free()
> and resolves the problem, but I'm guessing this creates a memory leak.
> Busybox is a great piece of software. I'm amazed at how much it does
> with so little code. Thankyou for all the time you've put into it.
> busybox mailing list
> busybox at busybox.net
More information about the busybox