mutt/2195: double free in rfc822_free_address() when using S/MIME encryption
>Number: 2195
>Notify-List:
>Category: mutt
>Synopsis: double free in rfc822_free_address() when using S/MIME
>encryption
>Confidential: no
>Severity: normal
>Priority: medium
>Responsible: mutt-dev
>State: open
>Keywords:
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Thu Mar 09 10:08:07 +0100 2006
>Originator: Christoph Ludwig
>Release: 1.5.11 (CVS from 2006-02-04)
>Organization:
>Environment:
cludwig@castellio:~> mutt -v
Mutt 1.5.11 (2005-09-15)
Copyright (C) 1996-2006 Michael R. Elkins and others.
Mutt comes with ABSOLUTELY NO WARRANTY; for details type `mutt -vv'.
Mutt is free software, and you are welcome to redistribute it
under certain conditions; type `mutt -vv' for details.
System: Linux 2.6.13-15.8-default (i686) [using ncurses 5.4] [using libidn
0.5.9 (compiled with 0.5.9)]
Einstellungen bei der Compilierung:
-DOMAIN
+DEBUG
-HOMESPOOL -USE_SETGID +USE_DOTLOCK -DL_STANDALONE
+USE_FCNTL -USE_FLOCK -USE_INODESORT
+USE_POP +USE_IMAP -USE_GSS +USE_SSL -USE_GNUTLS -USE_SASL
+HAVE_GETADDRINFO
+HAVE_REGCOMP -USE_GNU_REGEX
+HAVE_COLOR +HAVE_START_COLOR +HAVE_TYPEAHEAD +HAVE_BKGDSET
+HAVE_CURS_SET +HAVE_META +HAVE_RESIZETERM
+CRYPT_BACKEND_CLASSIC_PGP +CRYPT_BACKEND_CLASSIC_SMIME +CRYPT_BACKEND_GPGME
-BUFFY_SIZE -EXACT_ADDRESS -SUN_ATTACHMENT
+ENABLE_NLS -LOCALES_HACK +HAVE_WC_FUNCS +HAVE_LANGINFO_CODESET
+HAVE_LANGINFO_YESEXPR
+HAVE_ICONV -ICONV_NONTRANS +HAVE_LIBIDN +HAVE_GETSID +USE_HCACHE
ISPELL="/usr/bin/ispell"
SENDMAIL="/usr/sbin/sendmail"
MAILPATH="/var/mail"
PKGDATADIR="/home/cludwig/usr//share/mutt"
SYSCONFDIR="/home/cludwig/usr//etc"
EXECSHELL="/bin/sh"
-MIXMASTER
To contact the developers, please mail to <mutt-dev@xxxxxxxx>.
To report a bug, please visit http://bugs.mutt.org/.
1.5.6.nr.threadcomplete
patch-1.5.6-ow.smime-encrypt-self.2
>Description:
I observe every so often a crash due to a double free. The backtrace is:
(gdb) bt
#0 0xffffe410 in __kernel_vsyscall ()
#1 0x402e5541 in raise () from /lib/tls/libc.so.6
#2 0x402e6dbb in abort () from /lib/tls/libc.so.6
#3 0x4031b8b5 in __libc_message () from /lib/tls/libc.so.6
#4 0x40321842 in malloc_printerr () from /lib/tls/libc.so.6
#5 0x403221f4 in free () from /lib/tls/libc.so.6
#6 0x080a7207 in safe_free (ptr=0x403d8ff4) at lib.c:193
#7 0x08096b17 in rfc822_free_address (p=0x8317238) at rfc822.c:96
#8 0x080a8905 in mutt_free_envelope (p=0x830a4b8) at muttlib.c:662
#9 0x080a89fe in mutt_free_header (h=0xbf961b34) at muttlib.c:283
#10 0x0809cb67 in ci_send_message (flags=1, msg=0x830a480, tempfile=0x0,
ctx=0x818e408, cur=0x830a7b8) at send.c:1777
#11 0x0808a5db in mutt_pager (banner=<value optimized out>, fname=0xbf9626f0
"/tmp/mutt-castellio-1000-16030-26", flags=66,
extra=0xbf9627f0) at pager.c:2462
#12 0x08056e53 in mutt_display_message (cur=0x830a7b8) at commands.c:212
#13 0x0806175c in mutt_index_menu () at curs_main.c:1169
#14 0x0807a583 in main (argc=1, argv=0xbf963634) at main.c:960
(gdb) up 7
#7 0x08096b17 in rfc822_free_address (p=0x8317238) at rfc822.c:96
96 FREE (&t->personal);
(gdb) up
#8 0x080a8905 in mutt_free_envelope (p=0x830a4b8) at muttlib.c:662
662 rfc822_free_address (&(*p)->to);
(gdb) up
#9 0x080a89fe in mutt_free_header (h=0xbf961b34) at muttlib.c:283
283 mutt_free_envelope (&(*h)->env);
This particular crash happens only when I send S/MIME encrypted mails. (I use
the gpgme backend.) I already checked that patch-1.5.6-ow.smime-encrypt-self.2
does not free any address, so it seems an unlikely culprit.
>How-To-Repeat:
Send S/MIME encrypted mails. Unfortunately, mutt does not always crash, so it
is hard to repeat.
>Fix:
Unknown
>Add-To-Audit-Trail:
>Unformatted: