http://bugzilla.spamassassin.org/show_bug.cgi?id=3212
Summary: double free in message_cleanup
Product: Spamassassin
Version: 2.63
Platform: Other
OS/Version: other
Status: NEW
Severity: trivial
Priority: P5
Component: spamc/spamd
AssignedTo: spamassassin-dev@incubator.apache.org
ReportedBy: ftu@fi.uu.nl
I intermittently get a bad heap in spamc when running the test suite.
It seems to be caused by this:
message_read_bsmtp() sets m->msg to point *somewhere* in m->raw:
i+=6;
if(m->raw[i-1]=='\r') i++;
m->pre_len=i;
m->msg=m->raw+i;
^^
and message_cleanup() attempts to avoid double freeing by
testing for (m->out != m->raw) without considering the "i" added
by message_read_bsmtp():
void message_cleanup(struct message *m) {
if (m->out != NULL && m->out != m->raw) free(m->out);
if (m->raw != NULL) free(m->raw);
if (m->priv != NULL) free(m->priv);
clear_message(m);
This is low priority bug. The root of the problem was the the account "nobody"
had disappeared. This caused the daemon to shut down prematurely which probably
caused spamc to exercise a rare path through the code. Once I had restored the
"nobody" account the test worked.
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
Summary: double free in message_cleanup
Product: Spamassassin
Version: 2.63
Platform: Other
OS/Version: other
Status: NEW
Severity: trivial
Priority: P5
Component: spamc/spamd
AssignedTo: spamassassin-dev@incubator.apache.org
ReportedBy: ftu@fi.uu.nl
I intermittently get a bad heap in spamc when running the test suite.
It seems to be caused by this:
message_read_bsmtp() sets m->msg to point *somewhere* in m->raw:
i+=6;
if(m->raw[i-1]=='\r') i++;
m->pre_len=i;
m->msg=m->raw+i;
^^
and message_cleanup() attempts to avoid double freeing by
testing for (m->out != m->raw) without considering the "i" added
by message_read_bsmtp():
void message_cleanup(struct message *m) {
if (m->out != NULL && m->out != m->raw) free(m->out);
if (m->raw != NULL) free(m->raw);
if (m->priv != NULL) free(m->priv);
clear_message(m);
This is low priority bug. The root of the problem was the the account "nobody"
had disappeared. This caused the daemon to shut down prematurely which probably
caused spamc to exercise a rare path through the code. Once I had restored the
"nobody" account the test worked.
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.