Skip to content
GitLab
Projects Groups Snippets
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Register
  • Sign in
  • balsa balsa
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 20
    • Issues 20
    • List
    • Boards
    • Service Desk
    • Milestones
  • Merge requests 0
    • Merge requests 0
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Container Registry
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Repository
  • Wiki
    • Wiki
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • GNOMEGNOME
  • balsabalsa
  • Issues
  • #23
Closed
Open
Issue created Feb 08, 2020 by Hanno Böck@hanno

crash due to null pointer access when imap server sends early preauth

We observed a crash in balsa. This can be reproduced by having a server that simply sends a PREAUTH command, e.g. by doing this on the command line with netcat and letting balsa connect to localhost via imap:

echo -n "* PREAUTH\r\n" | nc -l -p 143

I'm pasting an error from Address Sanitizer below, it indicates the error is in libbalsa/imap/imap-handle.c:827.

That code looks like this:

  handle->can_fetch_body = 
    (strncmp(handle->last_msg, "Microsoft Exchange", 18) != 0);

It seems this crashes when handle->last_msg is not set (i.e. NULL), which causes strncmp accessing a null pointer. preventing this by first checking that handle->last_msg is not NULL prevents the crash, however there's probably an underlying deeper issue within the state management of the imap implementation.

ASAN error:

==3171==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f312ac84c30 bp 0x7ffce7d9e2d0 sp 0x7ffce7d9da30 T0)
==3171==The signal is caused by a READ memory access.
==3171==Hint: address points to the zero page.
    #0 0x7f312ac84c2f  (/usr/lib/gcc/x86_64-pc-linux-gnu/9.2.0/libasan.so.5+0xd5c2f)
    #1 0x55f918e2da93 in imap_mbox_connect /var/tmp/portage/mail-client/balsa-2.5.6-r1/work/balsa-2.5.6/libbalsa/imap/imap-handle.c:827
    #2 0x55f918e2e052 in imap_mbox_handle_connect /var/tmp/portage/mail-client/balsa-2.5.6-r1/work/balsa-2.5.6/libbalsa/imap/imap-handle.c:597
    #3 0x55f918d999b7 in libbalsa_imap_server_get_handle /var/tmp/portage/mail-client/balsa-2.5.6-r1/work/balsa-2.5.6/libbalsa/imap-server.c:665
    #4 0x55f918d9001c in libbalsa_scanner_imap_dir /var/tmp/portage/mail-client/balsa-2.5.6-r1/work/balsa-2.5.6/libbalsa/folder-scanners.c:413
    #5 0x55f918d0c7f0 in imap_dir_cb /var/tmp/portage/mail-client/balsa-2.5.6-r1/work/balsa-2.5.6/src/mailbox-node.c:502
    #6 0x7f3129347d7c in g_closure_invoke (/usr/lib64/libgobject-2.0.so.0+0x13d7c)
    #7 0x7f312935aa36  (/usr/lib64/libgobject-2.0.so.0+0x26a36)
    #8 0x7f31293637cc in g_signal_emit_valist (/usr/lib64/libgobject-2.0.so.0+0x2f7cc)
    #9 0x7f3129363e36 in g_signal_emit (/usr/lib64/libgobject-2.0.so.0+0x2fe36)
    #10 0x55f918d1ec60 in scan_mailboxes_idle_cb /var/tmp/portage/mail-client/balsa-2.5.6-r1/work/balsa-2.5.6/src/main.c:254
    #11 0x7f312926129f in g_main_context_dispatch (/usr/lib64/libglib-2.0.so.0+0x4e29f)
    #12 0x7f3129261667  (/usr/lib64/libglib-2.0.so.0+0x4e667)
    #13 0x7f3129261992 in g_main_loop_run (/usr/lib64/libglib-2.0.so.0+0x4e992)
    #14 0x7f3129a2d95c in gtk_main (/usr/lib64/libgtk-3.so.0+0x23895c)
    #15 0x55f918d1fa6c in real_main /var/tmp/portage/mail-client/balsa-2.5.6-r1/work/balsa-2.5.6/src/main.c:566
    #16 0x55f918d1fa6c in command_line_cb /var/tmp/portage/mail-client/balsa-2.5.6-r1/work/balsa-2.5.6/src/main.c:749
    #17 0x7f3127643bac  (/usr/lib64/libffi.so.7+0x6bac)
    #18 0x7f3127643138  (/usr/lib64/libffi.so.7+0x6138)
    #19 0x7f3129348599 in g_cclosure_marshal_generic (/usr/lib64/libgobject-2.0.so.0+0x14599)
    #20 0x7f3129347d7c in g_closure_invoke (/usr/lib64/libgobject-2.0.so.0+0x13d7c)
    #21 0x7f312935aa36  (/usr/lib64/libgobject-2.0.so.0+0x26a36)
    #22 0x7f3129362e49 in g_signal_emit_valist (/usr/lib64/libgobject-2.0.so.0+0x2ee49)
    #23 0x7f3129363e36 in g_signal_emit (/usr/lib64/libgobject-2.0.so.0+0x2fe36)
    #24 0x7f312945ab02  (/usr/lib64/libgio-2.0.so.0+0xc9b02)
    #25 0x7f312945cca8  (/usr/lib64/libgio-2.0.so.0+0xcbca8)
    #26 0x7f312945ce69 in g_application_run (/usr/lib64/libgio-2.0.so.0+0xcbe69)
    #27 0x55f918cb4c60 in main /var/tmp/portage/mail-client/balsa-2.5.6-r1/work/balsa-2.5.6/src/main.c:773
    #28 0x7f312901ce8a in __libc_start_main ../csu/libc-start.c:308
    #29 0x55f918cb5e79 in _start (/usr/bin/balsa+0xb9e79)
Assignee
Assign to
Time tracking