On 2022/09/22 10:37, Renaud Allard wrote:
> Hello,
>
> I opened a bug report on github for smtpd, but I am not really sure if it's
> read, so I am also posting it here.
>
> It's all described in https://github.com/OpenSMTPD/OpenSMTPD/issues/1183
>
> Basically, I am able to reliably crash OpenSMTPd by sending a mail to
> cont...@habitium.fr when either vm.malloc_conf flags S, U or F are set.
>
> Note that this domain has bogus DNS records and mail will fail anyway.
>
> habitium.fr mail is handled by 10 _dc-mx.4063971290c7.habitium.fr.
> # host _dc-mx.4063971290c7.habitium.fr
> _dc-mx.4063971290c7.habitium.fr has address 212.63.111.139
> Host _dc-mx.4063971290c7.habitium.fr not found: 3(NXDOMAIN)
>
>
> Best Regards
I can replicate. Backtrace and debug logs below.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x00000b5bc776f0a3 in mta_report_link_disconnect (s=0xb5e656596d0)
at /usr/src/usr.sbin/smtpd/smtpd/../mta_session.c:1787
1787 if (! SESSION_FILTERED(s))
(gdb) bt full
#0 0x00000b5bc776f0a3 in mta_report_link_disconnect (s=0xb5e656596d0)
at /usr/src/usr.sbin/smtpd/smtpd/../mta_session.c:1787
No locals.
#1 mta_disconnected (s=0xb5e656596d0) at
/usr/src/usr.sbin/smtpd/smtpd/../mta_session.c:1740
No locals.
#2 mta_free (s=0xb5e656596d0) at
/usr/src/usr.sbin/smtpd/smtpd/../mta_session.c:374
relay = <optimized out>
route = <optimized out>
#3 0x00000b5bc7770518 in mta_io (io=<optimized out>, evt=<optimized out>,
arg=0xb5e656596d0)
at /usr/src/usr.sbin/smtpd/smtpd/../mta_session.c:1333
len = <optimized out>
line = <optimized out>
cont = <optimized out>
msg = <optimized out>
error = <optimized out>
p = <optimized out>
s = <optimized out>
#4 0x00000b5bc7758340 in io_dispatch (fd=<optimized out>, ev=<optimized out>,
humppa=0xb5e6563dc00)
at /usr/src/usr.sbin/smtpd/smtpd/../ioev.c:732
io = 0xb5e6563dc00
w = <optimized out>
n = <optimized out>
saved_errno = <optimized out>
#5 0x00000b5e794922ef in event_process_active (base=0xb5e65646c00) at
/usr/src/lib/libevent/event.c:333
i = <optimized out>
ncalls = -8225
ev = <optimized out>
#6 event_base_loop (base=0xb5e65646c00, flags=<optimized out>) at
/usr/src/lib/libevent/event.c:483
tv = {tv_sec = 0, tv_usec = 622895}
evsel = <optimized out>
evbase = 0xb5e65646000
done = <error reading variable done (Cannot access memory at address
0x0)>
res = <optimized out>
tv_p = <optimized out>
#7 0x00000b5bc7778086 in dispatcher () at
/usr/src/usr.sbin/smtpd/smtpd/../dispatcher.c:182
pw = 0xb5ebb788000
#8 0x00000b5bc7749d02 in _start ()
No symbol table info available.
$ doas smtpd -vvvvvvd
debug: init ssl-tree
debug: init ca-tree
debug: init ssl-tree
debug: using "fs" queue backend
debug: using "ramqueue" scheduler backend
debug: using "ram" stat backend
info: OpenSMTPD 7.0.0 starting
debug: init ssl-tree
debug: init ca-tree
debug: init ssl-tree
debug: using "fs" queue backend
debug: using "ramqueue" scheduler backend
debug: using "ram" stat backend
setup_peer: crypto -> control[25943] fd=4
setup_peer: crypto -> dispatcher[45722] fd=5
setup_proc: crypto done
debug: init ssl-tree
setup_done: ca[15544] done
debug: init ca-tree
debug: init ssl-tree
debug: using "fs" queue backend
debug: using "ramqueue" scheduler backend
debug: using "ram" stat backend
setup_peer: dispatcher -> control[25943] fd=4
setup_peer: dispatcher -> crypto[15544] fd=5
setup_peer: dispatcher -> lookup[63570] fd=6
setup_peer: dispatcher -> queue[4056] fd=7
debug: init ssl-tree
debug: init ca-tree
debug: init ssl-tree
debug: using "fs" queue backend
debug: using "ramqueue" scheduler backend
debug: using "ram" stat backend
setup_peer: scheduler -> control[25943] fd=4
setup_peer: scheduler -> queue[4056] fd=5
debug: init ssl-tree
debug: init ca-tree
debug: init ssl-tree
debug: using "fs" queue backend
debug: using "ramqueue" scheduler backend
debug: using "ram" stat backend
setup_peer: lookup -> control[25943] fd=4
setup_peer: lookup -> dispatcher[45722] fd=5
setup_peer: lookup -> queue[4056] fd=6
debug: init ssl-tree
debug: init ca-tree
debug: init ssl-tree
debug: using "fs" queue backend
debug: using "ramqueue" scheduler backend
debug: using "ram" stat backend
setup_peer: control -> crypto[15544] fd=4
setup_peer: control -> lookup[63570] fd=5
setup_peer: control -> dispatcher[45722] fd=6
setup_peer: control -> queue[4056] fd=7
debug: init ssl-tree
debug: init ca-tree
debug: init ssl-tree
debug: using "fs" queue backend
debug: using "ramqueue" scheduler backend
debug: using "ram" stat backend
setup_peer: control -> scheduler[22686] fd=8
setup_proc: control done
setup_done: control[25943] done
setup_peer: queue -> control[25943] fd=4
setup_peer: queue -> dispatcher[45722] fd=5
setup_proc: lookup done
setup_peer: queue -> lookup[63570] fd=6
setup_peer: queue -> scheduler[22686] fd=7
setup_done: lka[63570] done
setup_proc: dispatcher done
setup_done: dispatcher[45722] done
setup_proc: queue done
setup_done: queue[4056] done
setup_proc: scheduler done
setup_done: scheduler[22686] done
debug: bounce warning after 4h
smtpd: setup done
debug: parent_send_config_ruleset: reloading
debug: parent_send_config: configuring dispatcher process
debug: parent_send_config: configuring ca process
debug: init private ssl-tree
debug: rsa_engine_init: using RSA privsep engine
debug: ecdsa_engine_init: using ECDSA privsep engine
mta_postfork: local_mail
mta_postfork: outbound
debug: smtp: listen on [::1] port 25 flags 0x400
debug: smtp: listen on [fe80::1%lo0] port 25 flags 0x400
debug: smtp: listen on 127.0.0.1 port 25 flags 0x400
debug: smtp: will accept at most 1989 clients
debug: queue: done loading queue into scheduler
debug: scheduler: evp:95b773ec4fa1d28a scheduled (mta)
debug: mta: received evp:95b773ec4fa1d28a for <test....@habitium.fr>
debug: mta: draining [relay:habitium.fr,smtp] refcount=1, ntask=1,
nconnector=0, nconn=0
debug: mta: querying MX for [relay:habitium.fr,smtp]...
debug: mta: [relay:habitium.fr,smtp] waiting for MX
debug: MXs for domain habitium.fr:
212.63.111.139 preference 10
debug: mta: ... got mx (0xbd258986920, habitium.fr, [relay:habitium.fr,smtp])
debug: mta: draining [relay:habitium.fr,smtp] refcount=1, ntask=1,
nconnector=0, nconn=0
debug: mta: querying source for [relay:habitium.fr,smtp]...
debug: mta: ... got source for [relay:habitium.fr,smtp]: []
debug: mta: new [connector:[]->[relay:habitium.fr,smtp],0x10000]
debug: mta: connecting with [connector:[]->[relay:habitium.fr,smtp],0x0]
debug: mta-routing: searching new route for
[connector:[]->[relay:habitium.fr,smtp],0x0]...
debug: mta-routing: selecting candidate route [] <-> 212.63.111.139
debug: mta-routing: spawning new connection on [] <-> 212.63.111.139
debug: mta: 0xbd2589816d0: spawned for relay [relay:habitium.fr,smtp]
debug: mta: connecting with [connector:[]->[relay:habitium.fr,smtp],0x0]
debug: mta: cannot use [relay:habitium.fr,smtp] before 2s
debug: mta-routing: no route available for
[connector:[]->[relay:habitium.fr,smtp],0x0]: must wait a bit
debug: mta: retrying to connect on [connector:[]->[relay:habitium.fr,smtp],0x0]
in 2s...
debug: mta: draining [relay:habitium.fr,smtp] refcount=3, ntask=1,
nconnector=1, nconn=1
debug: mta: scheduling relay [relay:habitium.fr,smtp] in 1s...
7eccf27d7a58dde3 mta connecting address=smtp://212.63.111.139:25
host=dns111139.phdns11.es
7eccf27d7a58dde3 mta connected
7eccf27d7a58dde3 mta closing reason=tls-connect-failed
debug: mta: 0xbd2589816d0: session done
debug: mta_route_collect([] <-> 212.63.111.139 (dns111139.phdns11.es))
smtp-out: Disabling route [] <-> 212.63.111.139 (dns111139.phdns11.es) for 15s
debug: mta: connecting with [connector:[]->[relay:habitium.fr,smtp],0x20000]
debug: mta: cancelling connector timeout
debug: mta: cannot use [relay:habitium.fr,smtp] before 2s
debug: mta-routing: no route available for
[connector:[]->[relay:habitium.fr,smtp],0x0]: must wait a bit
debug: mta: retrying to connect on [connector:[]->[relay:habitium.fr,smtp],0x0]
in 2s...
debug: mta: 0xbd2589816d0: session done
debug: control -> dispatcher: pipe closed
debug: lka -> dispatcher: pipe closed
debug: control agent exiting
debug: lookup agent exiting
debug: queue -> dispatcher: pipe closed
debug: queue agent exiting
debug: scheduler -> control: pipe closed
debug: ca -> dispatcher: pipe closed
debug: scheduler agent exiting
debug: ca agent exiting
debug: parent -> dispatcher: pipe closed
smtpd: process dispatcher socket closed
