<<< Date Index >>>     <<< Thread Index >>>

mutt/2684: crash on s/mime verification

>Number:         2684
>Notify-List:    
>Category:       mutt
>Synopsis:       crash on s/mime verification
>Confidential:   no
>Severity:       normal
>Priority:       medium
>Responsible:    mutt-dev
>State:          open
>Keywords:       
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Fri Jan 12 23:17:20 +0100 2007
>Originator:     Sertaç Ö. Y&#305;ld&#305;z
>Release:        tried with 1.5.13 and 1.5.13cvs (2007-01-09)
>Organization:
>Environment:
Linux 2.6.19.2
[using ncurses 5.5] [using libidn 0.6.5 (compiled with 0.6.5)]
Compile options:
-DOMAIN
-DEBUG
-HOMESPOOL  +USE_SETGID  +USE_DOTLOCK  +DL_STANDALONE  
+USE_FCNTL  -USE_FLOCK   -USE_INODESORT   
+USE_POP  +USE_NNTP  +USE_IMAP  -USE_GSS  +USE_SSL_OPENSSL  -USE_SSL_GNUTLS  
+USE_SASL  +HAVE_GETADDRINFO  
+HAVE_REGCOMP  -USE_GNU_REGEX  +COMPRESSED  
+HAVE_COLOR  +HAVE_START_COLOR  +HAVE_TYPEAHEAD  +HAVE_BKGDSET  
+HAVE_CURS_SET  +HAVE_META  +HAVE_RESIZETERM  
+CRYPT_BACKEND_CLASSIC_PGP  +CRYPT_BACKEND_CLASSIC_SMIME  +CRYPT_BACKEND_GPGME  
+BUFFY_SIZE -EXACT_ADDRESS  -SUN_ATTACHMENT  
+ENABLE_NLS  -LOCALES_HACK  +HAVE_WC_FUNCS  +HAVE_LANGINFO_CODESET  
+HAVE_LANGINFO_YESEXPR  
+HAVE_ICONV  -ICONV_NONTRANS  +HAVE_LIBIDN  +HAVE_GETSID  -USE_HCACHE  
ISPELL="/usr/bin/ispell"
SENDMAIL="/usr/sbin/sendmail"
MAILPATH="/var/mail"
PKGDATADIR="/usr/local/share/mutt"
SYSCONFDIR="/usr/local/etc"
EXECSHELL="/bin/sh"
-MIXMASTER
>Description:
I tried to verify an S/MIME signed test mail with GPG encrypted body. But I 
noticed two problems:
1) mutt asks for my s/mime password, but it shouldn't need it for verification.
2) After decrypting the body it crashes.

Program received signal SIGSEGV, Segmentation fault.
safe_strdup (s=0x2d746e65 <Address 0x2d746e65 out of bounds>) at lib.c:214
214       if (!s || !*s)
(gdb) bt
#0  safe_strdup (s=0x2d746e65 <Address 0x2d746e65 out of bounds>) at lib.c:214
#1  0x080a9ee7 in mutt_write_mime_header (a=0x99fbe60, f=0x99fbe60) at 
sendlib.c:324
#2  0x080612d5 in _mutt_copy_message (fpout=0x99fbe60, fpin=0x99d2018, 
hdr=0x99d2b48, body=0x99d3020, flags=1024, chflags=770) at copy.c:687
#3  0x08061a6a in mutt_copy_message (fpout=0x99fbe60, src=0x99422c0, 
hdr=0x99d2b48, flags=1024, chflags=770) at copy.c:742
#4  0x080c692b in smime_verify_sender (h=0x99d2b48) at smime.c:1174
#5  0x0805b685 in mutt_display_message (cur=0x99d2b48) at commands.c:185
#6  0x080663d8 in mutt_index_menu () at curs_main.c:1366
#7  0x08080b55 in main (argc=4, argv=0xbfaf6184) at main.c:1023

cur is not initialised here:

687         mutt_write_mime_header (cur, fpout);

so after sendlib.c:308 :
(gdb) x cur->subtype
0xb7fa2000:      "Content-Type: message/Content-Type: message/Content-Type: 
message/Content-Type: message/Content-Type: message/Content-Type: 
message/Content-Type: message/Content-Type: message/Content-Type: message/Co"...
>How-To-Repeat:
>Fix:
This patch prevents the crash, but I'm not sure if it is correct or not.

--- mutt-1.5.13/copy.c.old      2007-01-05 00:01:38.000000000 +0200
+++ mutt-1.5.13/copy.c  2007-01-05 00:01:48.000000000 +0200
@@ -677,7 +677,7 @@ _mutt_copy_message (FILE *fpout, FILE *f
 
     if ((WithCrypto & APPLICATION_SMIME)
         && (flags & M_CM_DECODE_SMIME) && (hdr->security & APPLICATION_SMIME)
-             && hdr->content->type == TYPEAPPLICATION)
+             && hdr->content->type == TYPEMULTIPART)
     {
       if (crypt_smime_decrypt_mime (fpin, &fp, hdr->content, &cur))
        return (-1);
>Add-To-Audit-Trail:

>Unformatted: