Mailing List Archive

problems with multipart/related
The mail bellow cause clamav detect something wrong then crash :

----------------<snip>------------
Return-Path: <>
Content-Type: multipart/related; boundary=xxx

--xxx
Content-Type: image/foobar

--xxx--
----------------<snip>------------

% clamscan --mbox test1.mail
Assertion failed: (htmltextPart != -1), function insert, file mbox.c, line 674.
abort (core dumped) clamscan --mbox test1.mail

I have looked in multipart/related management. There is some algorithm
who does : look for the first text/html part or, if not found, the
first text/* part or, if still not found get the first multipart/*. If
none of these, crash.

I'm not sure why this search is for. According RFC 2387, it's not the
right way to find the root part.
Re: problems with multipart/related [ In reply to ]
Hello!

I confirm this. It crashes my clamav based on a week-old CVS, mbox.c didn't
change since that time. Fix is trivial, just comment out assert() which
caused crash. htmlTextPart is not used in the execution flow after that point.

This works for me but needs more deep investigation. I did not test if it
conforms RFC 2387 or any other standarts. My fix only causes clamav not to
crash.

misha.

On Mon, 3 Nov 2003, Laurent Wacrenier wrote:

LW>The mail bellow cause clamav detect something wrong then crash :
LW>
LW>----------------<snip>------------
LW>Return-Path: <>
LW>Content-Type: multipart/related; boundary=xxx
LW>
LW>--xxx
LW>Content-Type: image/foobar
LW>
LW>--xxx--
LW>----------------<snip>------------
LW>
LW>% clamscan --mbox test1.mail
LW>Assertion failed: (htmltextPart != -1), function insert, file mbox.c, line 674.
LW>abort (core dumped) clamscan --mbox test1.mail
LW>
LW>I have looked in multipart/related management. There is some algorithm
LW>who does : look for the first text/html part or, if not found, the
LW>first text/* part or, if still not found get the first multipart/*. If
LW>none of these, crash.
LW>
LW>I'm not sure why this search is for. According RFC 2387, it's not the
LW>right way to find the root part.
LW>
Re: problems with multipart/related [ In reply to ]
Michael Dankov wrote:
> This works for me but needs more deep investigation. I did not test if it
> conforms RFC 2387 or any other standarts. My fix only causes clamav not to
> crash.

According RFC 2387, the "root" element is the first element of the
multipart/related unless the Content-Type has an optional parameter
"start" who indicate the Content-Id MIME header of the "root" element.
Notice that hostil mail could containt invalid or unexistant "start"
parameter to trigger border effect.

The "type" mandatory parameter should report the Content-Type of the
"root" element. It's used to guess the type without parsing the
elements. There is an undefined behaviour when the two types differs,
so, the scanner should not prefer one type over another.

Anyway, as any MIME element may be a virus, I think each of them
should be scanned, independenty of theyre role or theyre type in the
multipart.
Re: problems with multipart/related [ In reply to ]
On Monday 03 November 2003 7:23 pm, Laurent Wacrenier wrote:
> The mail bellow cause clamav detect something wrong then crash :

Fixed in libclamav/mbox.c version 1.16 now published in SourceForge. Thanks
for this one.

-Nigel (Nearly 1/4 way through my trip to India)