search

samettonyali / gross

Automatically exported from code.google.com/p/gross
Other
1 stars 0 forks source link

Space Character in Mail From Crashing Gross #61

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago 
I think I found the bug with my rusty C programming skill. Try this:

gclient  sjsms '%20S' recipient 127.0.0.1 helo

It will either cause strange "s=" entries to be recorded in the log on
my Sun box or just crashes a Linux box.

Seems that the %s that got passed in interfered with the normal format
string processing with vnsprintf, that expects a further string value
to get passed. Of course that didn't happen.

The %20 is a hex encode of the space character. Spammer sends MAIL
FROM: <spam"mer@dom SIZE=XXX>, MS thinks the envelop address is
spam"mer@dom SIZE=XXX>, and passes spam"mer@dom%20SIZE=XXX> to grossd.
Actually a simple adress like %s@dom is suffice to crash grossd,
because the % character is not encoded by MS before sending to grossd
for some reasons.

Besides the envelop sender field, It also seems to affects the
ricipient and helo field as well. It may also affect how tuples are
entered into the bloom filter since grossd just takes what MS sends as
is.

Below are gdb stack trace that I think will help fixing the bug. For
the meantime, I am working on script that auto restarts grossd when it
dies.

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1290261584 (LWP 21965)]
0x00596eb8 in wcslen () from /lib/tls/libc.so.6
(gdb) where
#0  0x00596eb8 in wcslen () from /lib/tls/libc.so.6
#1  0x00597f14 in wcsrtombs () from /lib/tls/libc.so.6
#2  0x005655ec in vfprintf () from /lib/tls/libc.so.6
#3  0x005829d6 in vsnprintf () from /lib/tls/libc.so.6
#4  0x0804b977 in logstr (level=6615028,
    fmt=0xb3181710 "a=greylist d=0 w=0 c=127.0.0.1 s=%20S r=r h=helo")
    at srvutils.c:50
#5  0x0804d416 in querylogwrite (q=0x81ae980) at worker.c:677
#6  0x0804d4c1 in finalize (status=0x81ae978) at worker.c:602
#7  0x08053baa in sjsms_connection (info=0x81adfd0, thread_ctx=0xb3182410,
    edict=0x81ae728) at worker_sjsms.c:270
#8  0x0805252e in thread_pool (arg=0x81ae590) at thread_pool.c:191
#9  0x00760371 in start_thread () from /lib/tls/libpthread.so.0
#10 0x005efffe in clone () from /lib/tls/libc.so.6

Jeff

Original issue reported on code.google.com by eino.tuominen@gmail.com on 28 Apr 2008 at 5:26

GoogleCodeExporter commented 8 years ago 
Antti found the bug and committed a fix. It was basically a printf() format bug 
in
the new querylogging code. Fix will be in the next release.

Original comment by eino.tuominen@gmail.com on 28 Apr 2008 at 5:28