PHP :: Bug #40925 :: rfc822.c legacy routine buffer overflow

Bug #40925	rfc822.c legacy routine buffer overflow
Submitted:	2007-03-26 18:57 UTC	Modified:	2007-03-26 21:46 UTC
From:	dan at westernitgroup dot com	Assigned:
Status:	Not a bug	Package:	IMAP related
PHP Version:	4.4.6	OS:	Linux
Private report:	No	CVE-ID:	None

View Add Comment Developer Edit

[2007-03-26 18:57 UTC] dan at westernitgroup dot com

Description:
------------
Apache Core Dumps with a call to fatal("rfc822.c legacy routine buffer overflow") in IMAP rfc822.c . 

Buffer overflow is being caused by writing more than SENDBUFLEN bytes to IMAP outbut buffer.

What is the appropriate limit for this define? (currently set to 16385).

Reproduce code:
---------------
Running Horde/IMP during email compose.

Expected result:
----------------
No Core Dump

Actual result:
--------------
Core Dump

GDB Stackdump

#1  0x42028a73 in abort () from /lib/tls/libc.so.6
No symbol table info available.
#2  0xb7bbcf65 in fatal (string=0xb7cb6100 "rfc822.c legacy routine buffer overflow") at ftl_unix.c:38
No locals.
#3  0xb7bdf2dc in rfc822_legacy_soutr (stream=0x0,
    string=0x89485a8 "prospec@ctc.ca, prospec@ctc.ca, protech_rd@corelab.ca, provincial@alzheimer.ab.ca, provost_news@awnet.net, provy@interbaun.com, prowest@telus.net, prsigns2000@telusplanet.net, prsteel@telusplanet.net,"...) at rfc822.c:2156
No locals.
#4  0xb7bddac7 in rfc822_output_flush (buf=0x42130a14) at rfc822.c:1368
No locals.
#5  0xb7bdda5a in rfc822_output_data (buf=0xbfff1ef0, string=0x8915137 "ools.com", len=8) at rfc822.c:1341
        i = 15
#6  0xb7bddaa7 in rfc822_output_string (buf=0xbfff1ef0,
    string=0x42130a14 " \t\023BP?Է?l???\235\aB^P\001BnP\001B~P\001B?F??\220?\aB?P\001B?2\aB?P\001B?P\001B\0205\aB?]??\016Q\001B\036Q\001B.Q\001BP?\aBNQ\001B^Q\001BnQ\001B~Q\001B\216Q\001B?y???Q\001B?Q\001B?Q\001B`)??P?\aB??\aB") at rfc822.c:1354
No locals.
#7  0xb7bde1d5 in rfc822_output_address (buf=0xbfff1ef0, adr=0x89150f0) at rfc822.c:1561
No locals.
#8  0xb7bddfd1 in rfc822_output_address_list (buf=0xbfff1ef0, adr=0x89150f0, pretty=0, specials=0x0) at rfc822.c:1515
        n = 0
#9  0xb7bdf450 in rfc822_write_address_full (
    dest=0x42130a14 " \t\023BP?Է?l???\235\aB^P\001BnP\001B~P\001B?F??\220?\aB?P\001B?2\aB?P\001B?P\001B\0205\aB?]??\016Q\001B\036Q\001B.Q\001BP?\aBNQ\001B^Q\001BnQ\001B~Q\001B\216Q\001B?y???Q\001B?Q\001B?Q\001B`)??P?\aB??\aB", adr=0x88d6fa0, base=0x0) at rfc822.c:2229
        buf = {f = 0xb7bdf2cc <rfc822_legacy_soutr>, s = 0x0,
  beg = 0x89485a8 "prospec@ctc.ca, prospec@ctc.ca, protech_rd@corelab.ca, provincial@alzheimer.ab.ca, provost_news@awnet.net, provy@interbaun.com, prowest@telus.net, prsigns2000@telusplanet.net, prsteel@telusplanet.net,"...,
  cur = 0x89485a8 "prospec@ctc.ca, prospec@ctc.ca, protech_rd@corelab.ca, provincial@alzheimer.ab.ca, provost_news@awnet.net, provy@interbaun.com, prowest@telus.net, prsigns2000@telusplanet.net, prsteel@telusplanet.net,"..., end = 0x894c5a8 ""}
#10 0xb7afdfcf in _php_imap_parse_address (addresslist=0x88d6fa0, fulladdress=0xbfff1f68, paddress=0x890397c) at /root/progs/php-4.4.6/ext/imap/php_imap.c:3740
        addresstmp = (struct mail_address *) 0x88d6fa0
        tmpvals = (zval *) 0x89485a8
        len = 0
#11 0xb7afe36e in _php_make_header_object (myzvalue=0x882f534, en=0x88d7fe8) at /root/progs/php-4.4.6/ext/imap/php_imap.c:3782
        paddress = (zval *) 0x890397c
        fulladdress = 0x0
#12 0xb7af67fb in zif_imap_headerinfo (ht=143491048, return_value=0x882f534, this_ptr=0x0, return_value_used=1) at /root/progs/php-4.4.6/ext/imap/php_imap.c:1531
        streamind = (zval **) 0x8399f84
        msgno = (zval **) 0x8399f88
        fromlength = (zval **) 0x0
        subjectlength = (zval **) 0x0
        defaulthost = (zval **) 0x0
        imap_le_struct = (pils *) 0x839acd4
        cache = (MESSAGECACHE *) 0x88f3ea0
        en = (ENVELOPE *) 0x88d7fe8
        dummy = "\220*??; ÷\000\000\000\000\000\000\000\000?/??|?\212\b\b$??A\235??\214\177\220\b|?\212\b@\234???#??\004\000\000\000$$\217\b\b$???�?$\217\b\b&??X1??H*??U\221\004B?/??X1??\023y??\f\000\000\000 $?? \235ѷ\000\000\000\000X\027\213\b; ÷?*???d\004B4$??<3\213\b\000\000\000\000P\230\211\b\002\000\000\000E", '\0' <repeats 11 times>, "\001\000\000\000\\\000\000\000X5\213\b\001\000\001\000\001\000\000\000>?\215\b\001\000\000\000\001\000\001\000\001\000\000\000\220\230\211\b\001"...
        fulladdress = '\0' <repeats 40 times>, " \000\000\000\000\000\000\000\000)", '\0' <repeats 74 times>, "0 ??\\\"P\b", '\0' <repeats 20 times>, "L ??4eV\b\000\000\000\000`\"\022B", '\0' <repeats 12 times>, "h ???Yo\b", '\0' <repeats 18 times>, "d ", '\0' <repeats 16 times>, "\001", '\0' <repeats 31 times>, "\227%??\n\000\000\000\000\000\000\000H ѷ\000\000\000\000\000\000\000\0008 ÷`!??\000\000\000\000\001\000\000\000?&??\230%??\000\000\000\000; ÷\001\000\000\000????", '\0' <repeats 16 times>, "?Yo\b?Yo\b(!?"...
#13 0xb7bb7752 in execute (op_array=0x883e904) at /root/progs/php-4.4.6/Zend/zend_execute.c:1681
        execute_data = {opline = 0x8840e24, function_state = {function_symbol_table = 0x84dd274, function = 0x832f358, reserved = {0xe7, 0x890430c, 0xaeb5103, 0x7400000f}}, fbc = 0x0, ce = 0x0, object = {
    ptr = 0x0}, Ts = 0xbfff2bb0, original_in_execution = 1 '\001', op_array = 0x883e904, prev_execute_data = 0xbfff3890}
#14 0xb7bb7505 in execute (op_array=0x883ea54) at /root/progs/php-4.4.6/Zend/zend_execute.c:1725
        execute_data = {opline = 0x8843070, function_state = {function_symbol_table = 0x84dcdcc, function = 0x883e904, reserved = {0xe8, 0x890430c, 0xaeb5103, 0x7400000a}}, fbc = 0x883e904, ce = 0x0,
  object = {ptr = 0x88954a4}, Ts = 0xbfff2ff0, original_in_execution = 1 '\001', op_array = 0x883ea54, prev_execute_data = 0xbfffc8d0}
#15 0xb7bb7505 in execute (op_array=0x8386ba4) at /root/progs/php-4.4.6/Zend/zend_execute.c:1725
        execute_data = {opline = 0xb736cfec, function_state = {function_symbol_table = 0x84efbdc, function = 0x883ea54, reserved = {0xb7ba5836, 0x8386f7c, 0xbfffeb70, 0x0}}, fbc = 0x883ea54, ce = 0x0,

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2007-03-26 19:20 UTC] tony2001@php.net

Doesn't look like PHP problem.
Please update c-client to the latest available version and rebuild PHP.

[2007-03-26 20:59 UTC] dan at westernitgroup dot com

Already done, I would not have posted here otherwise.

[2007-03-26 21:04 UTC] tony2001@php.net

An abort in c-client still isn't something PHP can fix.
Please report this problem to c-client developers. 
See http://www.washington.edu/imap/

[2007-03-26 21:29 UTC] dan at westernitgroup dot com

I have and this is their response.

Increasing the SENDBUFLEN to a sufficient size will make the "rfc822.c legacy routine buffer overflow" fatal error go away.  However, a better thing to do is to fix PHP to use c-client's new rfc822 header routines which do not require a fixed buffer (they flush the current buffer as
needed) rather than the legacy interface.

[2007-03-26 21:46 UTC] tony2001@php.net

>However, a better thing to do is to fix PHP to use c-client's new
> rfc822 header routines which do not require a fixed buffer (they
>flush the current buffer as needed) rather than the legacy interface.

That's not going to happen in PHP4 and I honestly saying I doubt it'll happen ever because it's extremely difficult to add support for a new c-client functionality without actually _requiring_ some c-client version, which is not an option for such a widely used application as PHP.

So until c-client is missing a way to know its version and is breaking its own API between the releases, I guess we'll avoid using the new functionality and will stay with what we have now.

Though that doesn't mean we wouldn't review such a patch (of course if it does not add any new requirements).

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Fri Apr 19 15:01:28 2024 UTC