3667 – segfault in imap_session_authenticate

Bug 3667 - segfault in imap_session_authenticate

Summary: segfault in imap_session_authenticate

Status:	RESOLVED FIXED

Alias:	None

Product:	Claws Mail (GTK 2)
Classification:	Unclassified
Component:	Folders/IMAP (show other bugs)
Version:	3.14.0
Hardware:	PC Linux

Importance:	P3 critical
Assignee:	users

URL:

Depends on:
Blocks:

Reported:	2016-08-13 12:00 UTC by Andreas
Modified:	2016-08-17 08:29 UTC (History)
CC List:	0 users

See Also:

Attachments
A fix for the crash (1016 bytes, patch) 2016-08-16 10:25 UTC, Andrej Kacian	no flags	Details \| Diff
Add an attachment (proposed patch, testcase, etc.)

Description Andreas 2016-08-13 12:00:04 UTC

All line numbers will refer to version 3.14.0 and the file imap.c!
I have a plugin running, that returns the password from gnome-keyring, i.e. imap.c:1285 will run successfully, and we will end up in the block with lines 1287 and 1288.
Line 1287 is the problem here, because we use Xstrdup_a(acc_pass...) which uses internally alloca, thus the memory is automatically managed.
However in all following code (and in my case in line 1341), the memory for acc_pass will be freed with g_free.
This leads to a segmentation fault on my PC.

I guess this bug was introduced due to the new passwordstore in claws-mail...

Comment 1 Andrej Kacian 2016-08-15 10:19:03 UTC

You're right, this is a problem. The use of alloca() here is, I believe, incorrect, since the returned password could be of any length, and could cause stack overflow. It needs to be changed to use simple malloc() instead. Sorry about that.

Comment 2 Andreas 2016-08-15 10:34:46 UTC

To be honest, I've just changed it to not copy at all, just set the pointer correctly with
acc_pass = pass;
and removing the two lines for copying/freeing the variable pass.

I think this is from old implementations, where acc_pass was deleted automatically. Now in all cases acc_pass will be freed anyway, and pass is already allocated with malloc, so I don't see the point, why copying it just another time ;)

Comment 3 Andrej Kacian 2016-08-16 10:25:23 UTC

Created attachment 1673 [details]
A fix for the crash

Can you try this patch (against current git master)?

You are correct that this was an oversight during recent password-related changes. Sorry about that.

Comment 4 Andreas 2016-08-16 22:27:30 UTC

Yes it works now. Thank you very much for the fast fix ;)

Comment 5 users 2016-08-17 00:34:04 UTC

Changes related to this bug have been committed.
Please check latest Git and update the bug accordingly.
You can also get the patch from:
http://git.claws-mail.org/

++ ChangeLog	2016-08-17 00:34:03.974036385 +0200
http://git.claws-mail.org/?p=claws.git;a=commitdiff;h=b23c6b4ca22574e99dfff6cb13211f539ff8536d
Merge: aff003f 5b70872
Author: Colin Leroy <colin@colino.net>
Date:   Wed Aug 17 00:34:03 2016 +0200

    Merge branch 'master' of file:///home/git/claws

http://git.claws-mail.org/?p=claws.git;a=commitdiff;h=5b70872b46999db1d46718267a4960547147d46b
Author: Andrej Kacian <ticho@claws-mail.org>
Date:   Wed Aug 17 00:32:12 2016 +0200

    Fix a crash on IMAP login when using a password plugin.
    
    Fixes bug #3667.

Comment 6 Andrej Kacian 2016-08-17 08:29:21 UTC

Patch applied in git, thanks for reporting!

Note You need to log in before you can comment on or make changes to this bug.