Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 632322 - mail-mta/opensmtpd buffer overflow
Summary: mail-mta/opensmtpd buffer overflow
Status: UNCONFIRMED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Jason A. Donenfeld
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-09-29 01:26 UTC by jiangxueqian
Modified: 2017-09-29 08:16 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description jiangxueqian 2017-09-29 01:26:23 UTC
There is a bug in /usr/libexec/opensmtpd/mail.local causing buffer overflow when gethostbyname return ::1 for localhost. It is always occurring on my system.

GDB output:
Starting program: /usr/libexec/opensmtpd/mail.local jiang
test
*** buffer overflow detected ***: mail.local terminated; report to <http://bugs.gentoo.org/>

Program received signal SIGABRT, Aborted.
__hardened_gentoo_fail () at chk_fail.c:278
278                             INLINE_SYSCALL(kill, 2, pid, SIGABRT);
(gdb) backtrace
#0  __hardened_gentoo_fail () at chk_fail.c:278
#1  __GI___chk_fail () at chk_fail.c:298
#2  0x0000000000401ff4 in bcopy (__len=<optimized out>, __dest=0x605054 <addr+4>, __src=<optimized out>) at /usr/include/bits/string3.h:97
#3  notifybiff (msg=msg@entry=0x7fffffffb300 "jiang@0\n") at mail.local.c:319
#4  0x00000000004021d1 in deliver (fd=fd@entry=3, name=<optimized out>, lockfile=lockfile@entry=1) at mail.local.c:293
#5  0x0000000000401ab6 in main (argc=<optimized out>, argv=0x7fffffffe5f0) at mail.local.c:112

Details:
from mail.local.c:
297 void
298 notifybiff(char *msg)
299 {
300         static struct sockaddr_in addr;
...
310                 if (!(hp = gethostbyname("localhost"))) {
...
319                 bcopy(hp->h_addr, &addr.sin_addr, (size_t)hp->h_length);

If gethostbyname returns ::1, it would be not able to fit in addr. The program doesn't check the size of returned address, and overflows addr using bcopy.