php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #40925 rfc822.c legacy routine buffer overflow
Submitted: 2007-03-26 18:57 UTC Modified: 2007-03-26 21:46 UTC
From: dan at westernitgroup dot com Assigned:
Status: Not a bug Package: IMAP related
PHP Version: 4.4.6 OS: Linux
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: dan at westernitgroup dot com
New email:
PHP Version: OS:

 

 [2007-03-26 18:57 UTC] dan at westernitgroup dot com 
Description:
------------
Apache Core Dumps with a call to fatal("rfc822.c legacy routine buffer overflow") in IMAP rfc822.c . 

Buffer overflow is being caused by writing more than SENDBUFLEN bytes to IMAP outbut buffer.

What is the appropriate limit for this define? (currently set to 16385).

Reproduce code:
---------------
Running Horde/IMP during email compose.

Expected result:
----------------
No Core Dump

Actual result:
--------------
Core Dump

GDB Stackdump

#1  0x42028a73 in abort () from /lib/tls/libc.so.6
No symbol table info available.
#2  0xb7bbcf65 in fatal (string=0xb7cb6100 "rfc822.c legacy routine buffer overflow") at ftl_unix.c:38
No locals.
#3  0xb7bdf2dc in rfc822_legacy_soutr (stream=0x0,
    string=0x89485a8 "prospec@ctc.ca, prospec@ctc.ca, protech_rd@corelab.ca, provincial@alzheimer.ab.ca, provost_news@awnet.net, provy@interbaun.com, prowest@telus.net, prsigns2000@telusplanet.net, prsteel@telusplanet.net,"...) at rfc822.c:2156
No locals.
#4  0xb7bddac7 in rfc822_output_flush (buf=0x42130a14) at rfc822.c:1368
No locals.
#5  0xb7bdda5a in rfc822_output_data (buf=0xbfff1ef0, string=0x8915137 "ools.com", len=8) at rfc822.c:1341
        i = 15
#6  0xb7bddaa7 in rfc822_output_string (buf=0xbfff1ef0,
    string=0x42130a14 " \t\023BP?Է?l???\235\aB^P\001BnP\001B~P\001B?F??\220?\aB?P\001B?2\aB?P\001B?P\001B\0205\aB?]??\016Q\001B\036Q\001B.Q\001BP?\aBNQ\001B^Q\001BnQ\001B~Q\001B\216Q\001B?y???Q\001B?Q\001B?Q\001B`)??P?\aB??\aB") at rfc822.c:1354
No locals.
#7  0xb7bde1d5 in rfc822_output_address (buf=0xbfff1ef0, adr=0x89150f0) at rfc822.c:1561
No locals.
#8  0xb7bddfd1 in rfc822_output_address_list (buf=0xbfff1ef0, adr=0x89150f0, pretty=0, specials=0x0) at rfc822.c:1515
        n = 0
#9  0xb7bdf450 in rfc822_write_address_full (
    dest=0x42130a14 " \t\023BP?Է?l???\235\aB^P\001BnP\001B~P\001B?F??\220?\aB?P\001B?2\aB?P\001B?P\001B\0205\aB?]??\016Q\001B\036Q\001B.Q\001BP?\aBNQ\001B^Q\001BnQ\001B~Q\001B\216Q\001B?y???Q\001B?Q\001B?Q\001B`)??P?\aB??\aB", adr=0x88d6fa0, base=0x0) at rfc822.c:2229
        buf = {f = 0xb7bdf2cc <rfc822_legacy_soutr>, s = 0x0,
  beg = 0x89485a8 "prospec@ctc.ca, prospec@ctc.ca, protech_rd@corelab.ca, provincial@alzheimer.ab.ca, provost_news@awnet.net, provy@interbaun.com, prowest@telus.net, prsigns2000@telusplanet.net, prsteel@telusplanet.net,"...,
  cur = 0x89485a8 "prospec@ctc.ca, prospec@ctc.ca, protech_rd@corelab.ca, provincial@alzheimer.ab.ca, provost_news@awnet.net, provy@interbaun.com, prowest@telus.net, prsigns2000@telusplanet.net, prsteel@telusplanet.net,"..., end = 0x894c5a8 ""}
#10 0xb7afdfcf in _php_imap_parse_address (addresslist=0x88d6fa0, fulladdress=0xbfff1f68, paddress=0x890397c) at /root/progs/php-4.4.6/ext/imap/php_imap.c:3740
        addresstmp = (struct mail_address *) 0x88d6fa0
        tmpvals = (zval *) 0x89485a8
        len = 0
#11 0xb7afe36e in _php_make_header_object (myzvalue=0x882f534, en=0x88d7fe8) at /root/progs/php-4.4.6/ext/imap/php_imap.c:3782
        paddress = (zval *) 0x890397c
        fulladdress = 0x0
#12 0xb7af67fb in zif_imap_headerinfo (ht=143491048, return_value=0x882f534, this_ptr=0x0, return_value_used=1) at /root/progs/php-4.4.6/ext/imap/php_imap.c:1531
        streamind = (zval **) 0x8399f84
        msgno = (zval **) 0x8399f88
        fromlength = (zval **) 0x0
        subjectlength = (zval **) 0x0
        defaulthost = (zval **) 0x0
        imap_le_struct = (pils *) 0x839acd4
        cache = (MESSAGECACHE *) 0x88f3ea0
        en = (ENVELOPE *) 0x88d7fe8
        dummy = "\220*??; ÷\000\000\000\000\000\000\000\000?/??|?\212\b\b$??A\235??\214\177\220\b|?\212\b@\234???#??\004\000\000\000$$\217\b\b$???�?$\217\b\b&??X1??H*??U\221\004B?/??X1??\023y??\f\000\000\000 $?? \235ѷ\000\000\000\000X\027\213\b; ÷?*???d\004B4$??<3\213\b\000\000\000\000P\230\211\b\002\000\000\000E", '\0' <repeats 11 times>, "\001\000\000\000\\\000\000\000X5\213\b\001\000\001\000\001\000\000\000>?\215\b\001\000\000\000\001\000\001\000\001\000\000\000\220\230\211\b\001"...
        fulladdress = '\0' <repeats 40 times>, " \000\000\000\000\000\000\000\000)", '\0' <repeats 74 times>, "0 ??\\\"P\b", '\0' <repeats 20 times>, "L ??4eV\b\000\000\000\000`\"\022B", '\0' <repeats 12 times>, "h ???Yo\b", '\0' <repeats 18 times>, "d ", '\0' <repeats 16 times>, "\001", '\0' <repeats 31 times>, "\227%??\n\000\000\000\000\000\000\000H ѷ\000\000\000\000\000\000\000\0008 ÷`!??\000\000\000\000\001\000\000\000?&??\230%??\000\000\000\000; ÷\001\000\000\000????", '\0' <repeats 16 times>, "?Yo\b?Yo\b(!?"...
#13 0xb7bb7752 in execute (op_array=0x883e904) at /root/progs/php-4.4.6/Zend/zend_execute.c:1681
        execute_data = {opline = 0x8840e24, function_state = {function_symbol_table = 0x84dd274, function = 0x832f358, reserved = {0xe7, 0x890430c, 0xaeb5103, 0x7400000f}}, fbc = 0x0, ce = 0x0, object = {
    ptr = 0x0}, Ts = 0xbfff2bb0, original_in_execution = 1 '\001', op_array = 0x883e904, prev_execute_data = 0xbfff3890}
#14 0xb7bb7505 in execute (op_array=0x883ea54) at /root/progs/php-4.4.6/Zend/zend_execute.c:1725
        execute_data = {opline = 0x8843070, function_state = {function_symbol_table = 0x84dcdcc, function = 0x883e904, reserved = {0xe8, 0x890430c, 0xaeb5103, 0x7400000a}}, fbc = 0x883e904, ce = 0x0,
  object = {ptr = 0x88954a4}, Ts = 0xbfff2ff0, original_in_execution = 1 '\001', op_array = 0x883ea54, prev_execute_data = 0xbfffc8d0}
#15 0xb7bb7505 in execute (op_array=0x8386ba4) at /root/progs/php-4.4.6/Zend/zend_execute.c:1725
        execute_data = {opline = 0xb736cfec, function_state = {function_symbol_table = 0x84efbdc, function = 0x883ea54, reserved = {0xb7ba5836, 0x8386f7c, 0xbfffeb70, 0x0}}, fbc = 0x883ea54, ce = 0x0,

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2007-03-26 19:20 UTC] tony2001@php.net 
Doesn't look like PHP problem.
Please update c-client to the latest available version and rebuild PHP.
 [2007-03-26 20:59 UTC] dan at westernitgroup dot com 
Already done, I would not have posted here otherwise.
 [2007-03-26 21:04 UTC] tony2001@php.net 
An abort in c-client still isn't something PHP can fix.
Please report this problem to c-client developers. 
See http://www.washington.edu/imap/
 [2007-03-26 21:29 UTC] dan at westernitgroup dot com 
I have and this is their response.

Increasing the SENDBUFLEN to a sufficient size will make the "rfc822.c legacy routine buffer overflow" fatal error go away.  However, a better thing to do is to fix PHP to use c-client's new rfc822 header routines which do not require a fixed buffer (they flush the current buffer as
needed) rather than the legacy interface.
 [2007-03-26 21:46 UTC] tony2001@php.net 
>However, a better thing to do is to fix PHP to use c-client's new
> rfc822 header routines which do not require a fixed buffer (they
>flush the current buffer as needed) rather than the legacy interface.

That's not going to happen in PHP4 and I honestly saying I doubt it'll happen ever because it's extremely difficult to add support for a new c-client functionality without actually _requiring_ some c-client version, which is not an option for such a widely used application as PHP.

So until c-client is missing a way to know its version and is breaking its own API between the releases, I guess we'll avoid using the new functionality and will stay with what we have now.

Though that doesn't mean we wouldn't review such a patch (of course if it does not add any new requirements).
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu Dec 26 20:01:29 2024 UTC