Mailing List Archive

empty Content-Disposition or mime subtype crashes
The two messages below cause clamav to crash.
The MIME parser should set reasonable defaults instead of aborting.

---------------<snip>-------------
Return-Path: <>
Content-Type: multipart/mixed; boundary=xxx

--xxx
Content-Type: text/plain
Content-Disposition:

foo

--xxx--
---------------<snip>-------------

% clamscan --mbox test2.mail
Assertion failed: (disptype != NULL), function messageSetDispositionType, file message.c, line 222.
abort (core dumped) clamscan --mbox test2.mail




---------------<snip>-------------
Return-Path: <>
Content-Type: multipart/mixed; boundary=xxx

--xxx
Content-Type: text/

foo

--xxx--
---------------<snip>-------------
% clamscan --mbox test3.mail
Assertion failed: (subtype != NULL), function messageSetMimeSubtype, file message.c, line 204.
abort (core dumped) clamscan --mbox test3.mail
Re: empty Content-Disposition or mime subtype crashes [ In reply to ]
Hello!

This issue seems to be already fixed in CVS. At least these messages did
not crash my clamav.

misha.

On Mon, 3 Nov 2003, Laurent Wacrenier wrote:

LW>The two messages below cause clamav to crash.
LW>The MIME parser should set reasonable defaults instead of aborting.
LW>
LW>---------------<snip>-------------
LW>Return-Path: <>
LW>Content-Type: multipart/mixed; boundary=xxx
LW>
LW>--xxx
LW>Content-Type: text/plain
LW>Content-Disposition:
LW>
LW>foo
LW>
LW>--xxx--
LW>---------------<snip>-------------
LW>
LW>% clamscan --mbox test2.mail
LW>Assertion failed: (disptype != NULL), function messageSetDispositionType, file message.c, line 222.
LW>abort (core dumped) clamscan --mbox test2.mail
LW>
LW>
LW>
LW>
LW>---------------<snip>-------------
LW>Return-Path: <>
LW>Content-Type: multipart/mixed; boundary=xxx
LW>
LW>--xxx
LW>Content-Type: text/
LW>
LW>foo
LW>
LW>--xxx--
LW>---------------<snip>-------------
LW>% clamscan --mbox test3.mail
LW>Assertion failed: (subtype != NULL), function messageSetMimeSubtype, file message.c, line 204.
LW>abort (core dumped) clamscan --mbox test3.mail
LW>
LW>
LW>-------------------------------------------------------
LW>This SF.net email is sponsored by: SF.net Giveback Program.
LW>Does SourceForge.net help you be more productive? Does it
LW>help you create better code? SHARE THE LOVE, and help us help
LW>YOU! Click Here: http://sourceforge.net/donate/
LW>_______________________________________________
LW>Clamav-devel mailing list
LW>Clamav-devel@lists.sourceforge.net
LW>https://lists.sourceforge.net/lists/listinfo/clamav-devel
LW>
Re: empty Content-Disposition or mime subtype crashes [ In reply to ]
On Mon, 03 Nov 2003 at 18:17:43 +0100, Laurent Wacrenier wrote:

> The two messages below cause clamav to crash.
> The MIME parser should set reasonable defaults instead of aborting.

I posted a patch for this some time ago however it had apparently already
been fixed in CVS (although looking at current CVS that does not appear to
be the case). See thread titled "[PATCH] libclamav: empty content-disposition
causes crash".


Matt.
Re: empty Content-Disposition or mime subtype crashes [ In reply to ]
Sorry for creating noise in the list, but, yes, those two messages
do crash my clamav.

On Mon, 3 Nov 2003, Michael Dankov wrote:

MD>Hello!
MD>
MD> This issue seems to be already fixed in CVS. At least these messages did
MD>not crash my clamav.
MD>
MD>misha.
Re: empty Content-Disposition or mime subtype crashes [ In reply to ]
I can confirm that this is a problem with the current release. I will
investigate and report back ASAP.

-Nigel
Re: empty Content-Disposition or mime subtype crashes [ In reply to ]
On Monday 03 November 2003 10:47 pm, Laurent Wacrenier wrote:
> The two messages below cause clamav to crash.
> The MIME parser should set reasonable defaults instead of aborting.

What mailer sends this line in it's header???

> Content-Disposition:

> The MIME parser should set reasonable defaults instead of aborting

Please point out the "default" values that you mention in the RFCs and I'll
use them. I couldn't see any.

-Nigel
Re: empty Content-Disposition or mime subtype crashes [ In reply to ]
Le Mar 4 nov 16:10:44 2003, Nigel Horne écrit:
> On Monday 03 November 2003 10:47 pm, Laurent Wacrenier wrote:
> > The two messages below cause clamav to crash.
> > The MIME parser should set reasonable defaults instead of aborting.
>
> What mailer sends this line in it's header???

I don't know: empty Content-Disposition has been seen in an asian spam
with some other invalid headers. I looked in the code why it's
appenned then guessed that empty subtype can also crash the scanner.

> > Content-Disposition:
>
> > The MIME parser should set reasonable defaults instead of aborting
>
> Please point out the "default" values that you mention in the RFCs and I'll
> use them. I couldn't see any.

I just think about implementation reasonable defaults. Set them
(Content-Dispostion and MIME subtype) as empty strings instead of
crashing.

RFC 2183 does not enforce default presentation of documents. Legal
Content-Dispostion values are the one prefixed by "x-" and the one
listed in http://www.iana.org/assignments/mail-cont-disp

Any illegal or unrecognized value are suspect and should force a scan.
For example, the Sircam worm has the illegal header
Content-Disposition: Multipart message

At 5.2, RFC 2045 recommend that syntactically invalid Content-Type
would be assumed as
Content-type: text/plain; charset=us-ascii
Re: empty Content-Disposition or mime subtype crashes [ In reply to ]
Laurent Wacrenier wrote :
> ---------------<snip>-------------
> Return-Path: <>
> Content-Type: multipart/mixed; boundary=xxx
>
> --xxx
> Content-Type: text/
>
> foo
>
> --xxx--
> ---------------<snip>-------------
> % clamscan --mbox test3.mail
> Assertion failed: (subtype != NULL), function messageSetMimeSubtype, file message.c, line 204.
> abort (core dumped) clamscan --mbox test3.mail


Against this one, for clamav devel-20031106 :

--- libclamav/message.c.old Wed Nov 5 08:03:51 2003
+++ libclamav/message.c Thu Nov 6 15:06:08 2003
@@ -204,7 +204,8 @@
messageSetMimeSubtype(message *m, const char *subtype)
{
assert(m != NULL);
- assert(subtype != NULL);
+ if (subtype == NULL)
+ subtype = "";

if(m->mimeSubtype)
free(m->mimeSubtype);
Re: empty Content-Disposition or mime subtype crashes [ In reply to ]
The message still crash clamav devel-20031112.
Is it a problem to apply this 3 lines patch ?
Any reproductible crash is a source of deny of service.

Le Jeu 6 nov 15:12:21 2003, Laurent Wacrenier écrit:
> Laurent Wacrenier wrote :
> > ---------------<snip>-------------
> > Return-Path: <>
> > Content-Type: multipart/mixed; boundary=xxx
> >
> > --xxx
> > Content-Type: text/
> >
> > foo
> >
> > --xxx--
> > ---------------<snip>-------------
> > % clamscan --mbox test3.mail
> > Assertion failed: (subtype != NULL), function messageSetMimeSubtype, file message.c, line 204.
> > abort (core dumped) clamscan --mbox test3.mail
>
>
> Against this one, for clamav devel-20031106 :
>
> --- libclamav/message.c.old Wed Nov 5 08:03:51 2003
> +++ libclamav/message.c Thu Nov 6 15:06:08 2003
> @@ -204,7 +204,8 @@
> messageSetMimeSubtype(message *m, const char *subtype)
> {
> assert(m != NULL);
> - assert(subtype != NULL);
> + if (subtype == NULL)
> + subtype = "";
>
> if(m->mimeSubtype)
> free(m->mimeSubtype);
>