Bug 6562 - [review] Possible NULL deref in message_dump()
Summary: [review] Possible NULL deref in message_dump()
Status: RESOLVED FIXED
Alias: None
Product: Spamassassin
Classification: Unclassified
Component: spamc/spamd (show other bugs)
Version: SVN Trunk (Latest Devel Version)
Hardware: PC Linux
: P2 normal
Target Milestone: 3.3.2
Assignee: SpamAssassin Developer Mailing List
URL:
Whiteboard: ready to commit for 3.3.2
Keywords:
Depends on:
Blocks:
 
Reported: 2011-03-24 18:29 UTC by frederik.deweerdt
Modified: 2011-05-10 19:29 UTC (History)
3 users (show)



Attachment Type Modified Status Actions Submitter/CLA Status
Rough patch from Frederik Deweerdt based on discussions patch None Kevin A. McGrail [HasCLA]
Very simple patch to return if called with a null body appropriate for 3.3 branch patch None Kevin A. McGrail [HasCLA]

Note You need to log in before you can comment on or make changes to this bug.
Description frederik.deweerdt 2011-03-24 18:29:36 UTC
When calling message_dump with a NULL m argument, m is checked against
being NULL before calling message write, but m is derefenced in the
libspamc_log call below it.

See http://article.gmane.org/gmane.mail.spam.spamassassin.devel/62986 for a patch proposal.
Comment 1 Kevin A. McGrail 2011-03-25 11:19:51 UTC
Created attachment 4861 [details]
Rough patch from Frederik Deweerdt based on discussions
Comment 2 Kevin A. McGrail 2011-03-25 11:25:14 UTC
In fixing this patch, we are requiring the passing of flags to message_dump so that if the message is null, we can still log an error correctly.

Because this is a change to an API, the target will be for a major milestone, currently set as 3.4.0.

However, the patch needs more work to comment the reasons for the change at least referencing the bug and update the documentation regarding the API change to let third-party software using libspamc.so know of the impending change.
Comment 3 Kevin A. McGrail 2011-03-25 11:40:37 UTC
Prior to the major milestone, the much simpler original patch to change to m == null return logic could be implemented immediately.
Comment 4 Kevin A. McGrail 2011-05-10 17:07:24 UTC
Created attachment 4883 [details]
Very simple patch to return if called with a null body appropriate for 3.3 branch
Comment 5 Kevin A. McGrail 2011-05-10 17:22:57 UTC
The very simple patch should be applied to 3.3.  It checks to make sure a NULL reference is not received in message_dump from libspamc.c.  +1 from me.

The more complex patch is targeted at 3.4.0 to give people a warning on the prototype change for message_dump to include flags so that proper logging can occur.

The more complex patch is in trunk now.

Sending        spamc/libspamc.c
Sending        spamc/libspamc.h
Sending        spamc/spamc.c
Transmitting file data ...
Committed revision 1101550.
Comment 6 Darxus 2011-05-10 17:25:01 UTC
Please add "[review]" to the summary.
Comment 7 Mark Martinec 2011-05-10 17:40:20 UTC
> Created attachment 4883 [details]
> Very simple patch to return if called with a null body appropriate
> for 3.3 branch

+1 for 3.3
Comment 8 Henrik Krohns 2011-05-10 19:10:55 UTC
(In reply to comment #7)
> > Created attachment 4883 [details]
> > Very simple patch to return if called with a null body appropriate
> > for 3.3 branch
> 
> +1 for 3.3

also +1 for 3.3
Comment 9 Kevin A. McGrail 2011-05-10 19:29:51 UTC
(In reply to comment #8)
> (In reply to comment #7)
> > > Created attachment 4883 [details]
> > > Very simple patch to return if called with a null body appropriate
> > > for 3.3 branch
> > 
> > +1 for 3.3
> 
> also +1 for 3.3

Sending        spamc/libspamc.c
Transmitting file data .
Committed revision 1101612.