crash due to null pointer access when imap server sends early preauth
We observed a crash in balsa. This can be reproduced by having a server that simply sends a PREAUTH command, e.g. by doing this on the command line with netcat and letting balsa connect to localhost via imap:
echo -n "* PREAUTH\r\n" | nc -l -p 143I'm pasting an error from Address Sanitizer below, it indicates the error is in libbalsa/imap/imap-handle.c:827.
That code looks like this:
handle->can_fetch_body =
(strncmp(handle->last_msg, "Microsoft Exchange", 18) != 0);It seems this crashes when handle->last_msg is not set (i.e. NULL), which causes strncmp accessing a null pointer. preventing this by first checking that handle->last_msg is not NULL prevents the crash, however there's probably an underlying deeper issue within the state management of the imap implementation.
ASAN error:
==3171==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f312ac84c30 bp 0x7ffce7d9e2d0 sp 0x7ffce7d9da30 T0)
==3171==The signal is caused by a READ memory access.
==3171==Hint: address points to the zero page.
#0 0x7f312ac84c2f (/usr/lib/gcc/x86_64-pc-linux-gnu/9.2.0/libasan.so.5+0xd5c2f)
#1 0x55f918e2da93 in imap_mbox_connect /var/tmp/portage/mail-client/balsa-2.5.6-r1/work/balsa-2.5.6/libbalsa/imap/imap-handle.c:827
#2 0x55f918e2e052 in imap_mbox_handle_connect /var/tmp/portage/mail-client/balsa-2.5.6-r1/work/balsa-2.5.6/libbalsa/imap/imap-handle.c:597
#3 0x55f918d999b7 in libbalsa_imap_server_get_handle /var/tmp/portage/mail-client/balsa-2.5.6-r1/work/balsa-2.5.6/libbalsa/imap-server.c:665
#4 0x55f918d9001c in libbalsa_scanner_imap_dir /var/tmp/portage/mail-client/balsa-2.5.6-r1/work/balsa-2.5.6/libbalsa/folder-scanners.c:413
#5 0x55f918d0c7f0 in imap_dir_cb /var/tmp/portage/mail-client/balsa-2.5.6-r1/work/balsa-2.5.6/src/mailbox-node.c:502
#6 0x7f3129347d7c in g_closure_invoke (/usr/lib64/libgobject-2.0.so.0+0x13d7c)
#7 0x7f312935aa36 (/usr/lib64/libgobject-2.0.so.0+0x26a36)
#8 0x7f31293637cc in g_signal_emit_valist (/usr/lib64/libgobject-2.0.so.0+0x2f7cc)
#9 0x7f3129363e36 in g_signal_emit (/usr/lib64/libgobject-2.0.so.0+0x2fe36)
#10 0x55f918d1ec60 in scan_mailboxes_idle_cb /var/tmp/portage/mail-client/balsa-2.5.6-r1/work/balsa-2.5.6/src/main.c:254
#11 0x7f312926129f in g_main_context_dispatch (/usr/lib64/libglib-2.0.so.0+0x4e29f)
#12 0x7f3129261667 (/usr/lib64/libglib-2.0.so.0+0x4e667)
#13 0x7f3129261992 in g_main_loop_run (/usr/lib64/libglib-2.0.so.0+0x4e992)
#14 0x7f3129a2d95c in gtk_main (/usr/lib64/libgtk-3.so.0+0x23895c)
#15 0x55f918d1fa6c in real_main /var/tmp/portage/mail-client/balsa-2.5.6-r1/work/balsa-2.5.6/src/main.c:566
#16 0x55f918d1fa6c in command_line_cb /var/tmp/portage/mail-client/balsa-2.5.6-r1/work/balsa-2.5.6/src/main.c:749
#17 0x7f3127643bac (/usr/lib64/libffi.so.7+0x6bac)
#18 0x7f3127643138 (/usr/lib64/libffi.so.7+0x6138)
#19 0x7f3129348599 in g_cclosure_marshal_generic (/usr/lib64/libgobject-2.0.so.0+0x14599)
#20 0x7f3129347d7c in g_closure_invoke (/usr/lib64/libgobject-2.0.so.0+0x13d7c)
#21 0x7f312935aa36 (/usr/lib64/libgobject-2.0.so.0+0x26a36)
#22 0x7f3129362e49 in g_signal_emit_valist (/usr/lib64/libgobject-2.0.so.0+0x2ee49)
#23 0x7f3129363e36 in g_signal_emit (/usr/lib64/libgobject-2.0.so.0+0x2fe36)
#24 0x7f312945ab02 (/usr/lib64/libgio-2.0.so.0+0xc9b02)
#25 0x7f312945cca8 (/usr/lib64/libgio-2.0.so.0+0xcbca8)
#26 0x7f312945ce69 in g_application_run (/usr/lib64/libgio-2.0.so.0+0xcbe69)
#27 0x55f918cb4c60 in main /var/tmp/portage/mail-client/balsa-2.5.6-r1/work/balsa-2.5.6/src/main.c:773
#28 0x7f312901ce8a in __libc_start_main ../csu/libc-start.c:308
#29 0x55f918cb5e79 in _start (/usr/bin/balsa+0xb9e79)