DragonFly kernel List (threaded) for 2008-02
DragonFly BSD
DragonFly kernel List (threaded) for 2008-02
[Date Prev][Date Next]  [Thread Prev][Thread Next]  [Date Index][Thread Index]

sendmail 8.14 has a serious memory corruption bug in it


From: Matthew Dillon <dillon@xxxxxxxxxxxxxxxxxxxx>
Date: Mon, 18 Feb 2008 11:43:40 -0800 (PST)

    Matthias reported that leaf's sendmail had stopped working.  I tracked
    it down to a bug in sendmail in:

	 /usr/src/contrib/sendmail-8.14/sendmail/main.c line 2545

    It is freeing MainEnvelope's memory pool and then calling newenvelope()
    with MainEnvelope as the 'parent'.  If the backing store is actually
    freed (which it is in DragonFly), this causes a core dump.

                /* at this point we are in a child: reset state */
                sm_rpool_free(MainEnvelope.e_rpool);
                (void) newenvelope(&MainEnvelope, &MainEnvelope,
                                   sm_rpool_new_x(NULL));

    I think the code needs to be:

                /* at this point we are in a child: reset state */
                {
                        SM_RPOOL_T *opool = MainEnvelope.e_rpool;
                        (void) newenvelope(&MainEnvelope, &MainEnvelope,
                                           sm_rpool_new_x(NULL));
                        sm_rpool_free(opool);
                }

    I am making this change in our CVS.  I'm not sure why it is showing up
    now, 8.14 was brought in in november.

    I have reported the bug to the sendmail folks.

						-Matt



[Date Prev][Date Next]  [Thread Prev][Thread Next]  [Date Index][Thread Index]