From owner-freebsd-bugs@FreeBSD.ORG Fri Jul 11 05:10:10 2003 Return-Path: Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CDA0737B401 for ; Fri, 11 Jul 2003 05:10:10 -0700 (PDT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id DA36843F3F for ; Fri, 11 Jul 2003 05:10:09 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.9/8.12.9) with ESMTP id h6BCA9Up078842 for ; Fri, 11 Jul 2003 05:10:09 -0700 (PDT) (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.12.9/8.12.9/Submit) id h6BCA93B078841; Fri, 11 Jul 2003 05:10:09 -0700 (PDT) Resent-Date: Fri, 11 Jul 2003 05:10:09 -0700 (PDT) Resent-Message-Id: <200307111210.h6BCA93B078841@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Oleg Bulyzhin Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1DE5437B404; Fri, 11 Jul 2003 05:05:05 -0700 (PDT) Received: from lath.rinet.ru (lath.rinet.ru [195.54.192.90]) by mx1.FreeBSD.org (Postfix) with ESMTP id 50ED243FBF; Fri, 11 Jul 2003 05:05:04 -0700 (PDT) (envelope-from oleg@lath.rinet.ru) Received: by lath.rinet.ru (Postfix, from userid 222) id 3B7952EF9; Fri, 11 Jul 2003 16:05:02 +0400 (MSD) Message-Id: <20030711120502.3B7952EF9@lath.rinet.ru> Date: Fri, 11 Jul 2003 16:05:02 +0400 (MSD) From: Oleg Bulyzhin To: FreeBSD-gnats-submit@FreeBSD.org X-Send-Pr-Version: 3.113 cc: gshapiro@FreeBSD.org Subject: bin/54367: [PATCH] sendmail coredumps (sometime) when using dns map X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Oleg Bulyzhin List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Jul 2003 12:10:11 -0000 >Number: 54367 >Category: bin >Synopsis: [PATCH] sendmail coredumps (sometime) when using dns map >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Fri Jul 11 05:10:09 PDT 2003 >Closed-Date: >Last-Modified: >Originator: Oleg Bulyzhin >Release: FreeBSD 4.8-RELEASE i386 >Organization: Cronyx Plus LLC >Environment: System: FreeBSD lath.rinet.ru 4.8-RELEASE FreeBSD 4.8-RELEASE #0: Sat Apr 5 12:35:16 MSD 2003 root@lath.rinet.ru:/lh/obj/lh/src/sys/lath i386 Any FreeBSD version with sendmail below 8.12.9 is affected i guess. >Description: Only sendmail 8.12.8 (and previous) are affected. 8.12.9 has this bug fixed. If you are using dns maps in your sendmail.cf and have decent smtp traffic you can see "random" sendmail crashes. (problem was noticed on our primary mail relay which has about 300000 delivery attempts per day). If you search your maillog for crashed sendmail pid you can see (often, but not always) error like this: sm-mta[90653]: ERROR: DNS RDLENGTH=63885 > data len=2468 Here is explanation why this can happen: In dns_parse_reply() sendmail builds chain of RESOURCE_RECORD_T structures (dynamically allocating memory for them). Due to wrong initialization of those structures, if sendmail gets bad dns reply (with actual reply size != announced reply size), it calls dns_free_data (sm_resolve.c:227) having rr_next field of last chain structure filled with garbage. In dns_free_data() sendmail trying to free allocated chain of structures: it's going through chain using rr_next pointer and stops when rr_next == NULL. Garbage in rr_next field cause sendmail to call free() on random addresses. This usually cause sendmail to crash. Theoretically (i'm not sure) this bug can lead to remote code execution. >How-To-Repeat: Dont know easy ways to reproduce problem. (we need source of broken dns replies i guess). >Fix: Use sm_resolve.c coming with sendmail 8.12.9 or use this patch: --- sm_resolve.c.orig Fri Jun 28 00:43:24 2002 +++ sm_resolve.c Thu Jul 10 01:21:17 2003 @@ -233,6 +233,7 @@ dns_free_data(r); return NULL; } + memset(*rr, 0, sizeof(**rr)); (*rr)->rr_domain = sm_strdup(host); if ((*rr)->rr_domain == NULL) { >Release-Note: >Audit-Trail: >Unformatted: