Sending the following bytes to the SMTP server induces a NULL pointer dereference
0x20,0x41,0xa,0xa,0x56,0x52,0x46,0x59,0x20,0x51,0x45,0xa,0x20,0xa,0x27,0xa,0x4e,0x4f,0x4f,0x50,0x20,0x45,0x45,0x22,0x46,0x59,0xa,0x80,0x44,0x41,0x54,0xa,0x42,0x44,0x41,0x20,0xf6,0xa,0x56,0x52,0x46,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x20,0xa,0x8a,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0x4a,0xa,0xa,0xa,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x20,0xa,0x8a,0xcc,0xcc,0xcc,0xcc,0x48,0xa,0x6d,0xa,0x20,0x50,0x40,0xa,0x41,0xd,0xd,0xa,0xd,0xd,0xa,0xa,0xd,0xa,0xd,0xd,0x42,0x44
Stack trace is
#0 0x109b49a57 in smtp_string_parse smtp-syntax.c:35
#1 0x109b6cdf4 in smtp_server_cmd_noop smtp-server-cmd-noop.c:19
#2 0x109b75a46 in smtp_server_command_new smtp-server-command.c:248
#3 0x109b8b139 in smtp_server_connection_handle_command smtp-server-connection.c:299
#4 0x109b8a3e3 in smtp_server_connection_handle_input smtp-server-connection.c:434
#5 0x109b89d4a in smtp_server_connection_input smtp-server-connection.c:583
#6 0x109c1378b in io_loop_call_io ioloop.c:713
#7 0x109c14970 in io_loop_call_pending ioloop.c:751
#8 0x109c14449 in io_loop_handler_run ioloop.c:766
#9 0x109c140cd in io_loop_run ioloop.c:738
#10 0x109b0cde1 in LLVMFuzzerTestOneInput fuzz-smtp-server.c:86
Indeed smtp_server_cmd_noop
calls smtp_string_parse(params, NULL, NULL)
so third parameter is NULL
The fix seems obvious as it has been done for the code just some lines before
diff --git a/src/lib-smtp/smtp-syntax.c b/src/lib-smtp/smtp-syntax.c
index 5d22445f72..43db157ded 100644
--- a/src/lib-smtp/smtp-syntax.c
+++ b/src/lib-smtp/smtp-syntax.c
@@ -32,7 +32,8 @@ int smtp_string_parse(const char *string,
return -1;
}
if (parser.cur < parser.end) {
- *error_r = "Invalid character in string";
+ if (error_r != NULL)
+ *error_r = "Invalid character in string";
return -1;
}
return 1;
A null pointer dereference induces a crash of the SMTP server