Lucene search

CatenacyberH1:827729

HistoryMar 24, 2020 - 7:32 a.m.

Open-Xchange: Null pointer dereference in SMTP server function smtp_string_parse

2020-03-2407:32:04

catenacyber

hackerone.com

$1500

0.01 Low

EPSS

Percentile

84.1%

JSON

Sending the following bytes to the SMTP server induces a NULL pointer dereference

0x20,0x41,0xa,0xa,0x56,0x52,0x46,0x59,0x20,0x51,0x45,0xa,0x20,0xa,0x27,0xa,0x4e,0x4f,0x4f,0x50,0x20,0x45,0x45,0x22,0x46,0x59,0xa,0x80,0x44,0x41,0x54,0xa,0x42,0x44,0x41,0x20,0xf6,0xa,0x56,0x52,0x46,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x20,0xa,0x8a,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0x4a,0xa,0xa,0xa,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x20,0xa,0x8a,0xcc,0xcc,0xcc,0xcc,0x48,0xa,0x6d,0xa,0x20,0x50,0x40,0xa,0x41,0xd,0xd,0xa,0xd,0xd,0xa,0xa,0xd,0xa,0xd,0xd,0x42,0x44

Stack trace is

    #0 0x109b49a57 in smtp_string_parse smtp-syntax.c:35
    #1 0x109b6cdf4 in smtp_server_cmd_noop smtp-server-cmd-noop.c:19
    #2 0x109b75a46 in smtp_server_command_new smtp-server-command.c:248
    #3 0x109b8b139 in smtp_server_connection_handle_command smtp-server-connection.c:299
    #4 0x109b8a3e3 in smtp_server_connection_handle_input smtp-server-connection.c:434
    #5 0x109b89d4a in smtp_server_connection_input smtp-server-connection.c:583
    #6 0x109c1378b in io_loop_call_io ioloop.c:713
    #7 0x109c14970 in io_loop_call_pending ioloop.c:751
    #8 0x109c14449 in io_loop_handler_run ioloop.c:766
    #9 0x109c140cd in io_loop_run ioloop.c:738
    #10 0x109b0cde1 in LLVMFuzzerTestOneInput fuzz-smtp-server.c:86

Indeed smtp_server_cmd_noop calls smtp_string_parse(params, NULL, NULL) so third parameter is NULL

The fix seems obvious as it has been done for the code just some lines before

diff --git a/src/lib-smtp/smtp-syntax.c b/src/lib-smtp/smtp-syntax.c
index 5d22445f72..43db157ded 100644
--- a/src/lib-smtp/smtp-syntax.c
+++ b/src/lib-smtp/smtp-syntax.c
@@ -32,7 +32,8 @@ int smtp_string_parse(const char *string,
                return -1;
        }
        if (parser.cur &lt; parser.end) {
-               *error_r = "Invalid character in string";
+               if (error_r != NULL)
+                       *error_r = "Invalid character in string";
                return -1;
        }
        return 1;

Impact

A null pointer dereference induces a crash of the SMTP server