retitle 722611 libsasl2-2: double free with DIGEST-MD5 reassign 722611 libsasl2-2 2.1.25.dfsg1-14 tag 722611 patch thanks
On Wed, 11 Jun 2014 10:36:04 -0400, Matteo Cypriani <m...@lm7.fr> wrote: > I hadn't really used it since last time, but I just had mutt crash again > after sending a mail: > > Envoi du message... 0K/9,6K (0%) > *** Error in `mutt': double free or corruption (!prev): 0x0000000002868280 > *** zsh: abort mutt > > Package versions: > mutt 1.5.23-1 > libsasl2-2 2.1.26.dfsg1-9 After all it *looks* indeed like it's a bug in libsasl. The bug occurs when trying to send an email with mutt via SMTP and the DIGEST-MD5 authentication, because free_rc4() (from plugins/digestmd5.c) is called twice: once when mutt calls sasl_client_step(), and once when it calls sasl_dispose(). I'm attaching a file with the most important steps of my gdb session (this time I rebuilt mutt and libsasl with nostrip to have all the symbols). I'm also attaching a patch that fixes the problem for me, but please don't blindly apply it: I really don't know what I'm doing! Maybe the pointers should be set to NULL elsewhere, or maybe free_rc4() shouldn't be called twice in the first place, I'm not familiar enough with the code to tell. Cheers, Matteo
gdb_session
Description: Binary data
Subject: Avoids double free in case free_rc4() is called multiple times Author: Matteo Cypriani <m...@lm7.fr> --- a/plugins/digestmd5.c +++ b/plugins/digestmd5.c @@ -1226,8 +1226,15 @@ { /* free rc4 context structures */ - if(text->cipher_enc_context) text->utils->free(text->cipher_enc_context); - if(text->cipher_dec_context) text->utils->free(text->cipher_dec_context); + if(text->cipher_enc_context) { + text->utils->free(text->cipher_enc_context); + text->cipher_enc_context = NULL; + } + + if(text->cipher_dec_context) { + text->utils->free(text->cipher_dec_context); + text->cipher_dec_context = NULL; + } } static int init_rc4(context_t *text,
pgpz41bM2VvjE.pgp
Description: PGP signature