Bug#831758: exim4 NPD in expand_string, plaintext authentication with OpenBSD password file

Mon, 18 Jul 2016 22:58:03 -0700 

Package: exim4
Version: 4.84.2-1
Severity: normal
Tags: patch
Fixed upstream: http://git.exim.org/exim.git/commit/9dc2b215e83a63efa242f6acd3ab7af8b608e5a1 

Fix is in 4.87 and stretch. Broken in jessie. Patch attached.
Using plaintext password file generated with OpenBSD htpasswd (bcrypt), exim crashes with a NPD on every authentication. 

Stack trace:
#0  __strcmp_sse2_unaligned ()
    at ../sysdeps/x86_64/multiarch/strcmp-sse2-unaligned.S:29
#1  * in eval_condition (s=0x7ff5b53a4948 "{1}{0}}",
    resetok=0x7ffe1b7a3eb4, yield=0x7ffe1b7a4000) at expand.c:2737
#2  * in expand_string_internal (
string=0x7ff5b53a48e8 "${if crypteq{$auth3}{${extract{1}{:}{${lookup{$auth2} 
    skipping=0, honour_dollar=1, resetok_p=0x0) at expand.c:3993
#3  * in expand_string (
string=0x7ff5b53a48e8 "${if crypteq{$auth3}{${extract{1}{:}{${lookup{$auth2} 
#4  * in auth_check_some_cond (ablock=0x7ff5b53a4830,
    label=0x7ff5b33ae6ff "server_condition",
condition=0x7ff5b53a48e8 "${if crypteq{$auth3}{${extract{1}{:}{${lookup{$aut 
    at check_serv_cond.c:88
#5  * in auth_check_serv_cond (ablock=0x7ff5b53a4830)
    at check_serv_cond.c:35
#6  * in auth_plaintext_server (ablock=0x7ff5b53a4830,
    data=0x7ff5b53ae317 "*") at plaintext.c:144
#7  * in smtp_setup_msg () at smtp_in.c:3263
#8  * in handle_smtp_call (listen_sockets=0x7ff5b53a7368,
    listen_socket_count=4, accept_socket=8, accepted=0x7ffe1b7a55c0)
    at daemon.c:511
#9  * in daemon_go () at daemon.c:2032
#10 * in main (argc=3, cargv=0x7ffe1b7e5d98) at exim.c:4690



--- a/src/src/expand.c
+++ b/src/src/expand.c
@@ -2791,7 +2791,7 @@ switch(cond_type)
       #define XSTR(s) STR(s)
       DEBUG(D_auth) debug_printf("crypteq: using %s()\n"
         "  subject=%s\n  crypted=%s\n",
-        (which == 0)? XSTR(DEFAULT_CRYPT) : (which == 1)? "crypt" : "crypt16",
+        which == 0 ? XSTR(DEFAULT_CRYPT) : which == 1 ? "crypt" : "crypt16",
         coded, sub[1]);
       #undef STR
       #undef XSTR
@@ -2800,8 +2800,16 @@ switch(cond_type)
       salt), force failure. Otherwise we get false positives: with an empty
       string the yield of crypt() is an empty string! */
 
-      tempcond = (Ustrlen(sub[1]) < 2)? FALSE :
-        (Ustrcmp(coded, sub[1]) == 0);
+      if (coded)
+       tempcond = Ustrlen(sub[1]) < 2 ? FALSE : Ustrcmp(coded, sub[1]) == 0;
+      else if (errno == EINVAL)
+       tempcond = FALSE;
+      else
+       {
+       expand_string_message = string_sprintf("crypt error: %s\n",
+         US strerror(errno));
+       return NULL;
+       }
       }
     break;
     #endif  /* SUPPORT_CRYPTEQ */

Reply via email to