bin/54367: [PATCH] sendmail coredumps (sometime) when using dns map

Oleg Bulyzhin oleg at rinet.ru
Fri Jul 11 05:10:11 PDT 2003 

>Number:         54367
>Category:       bin
>Synopsis:       [PATCH] sendmail coredumps (sometime) when using dns map
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Jul 11 05:10:09 PDT 2003
>Closed-Date:
>Last-Modified:
>Originator:     Oleg Bulyzhin
>Release:        FreeBSD 4.8-RELEASE i386
>Organization:
Cronyx Plus LLC
>Environment:
System: FreeBSD lath.rinet.ru 4.8-RELEASE FreeBSD 4.8-RELEASE #0: Sat Apr 5 12:35:16 MSD 2003 root at lath.rinet.ru:/lh/obj/lh/src/sys/lath i386

	Any FreeBSD version with sendmail below 8.12.9 is affected i guess.

>Description:
	Only sendmail 8.12.8 (and previous) are affected. 8.12.9 has this bug
	fixed.

	If you are using dns maps in your sendmail.cf and have decent smtp
	traffic you can see "random" sendmail crashes.
	(problem was noticed on our primary mail relay which has about 300000
	delivery attempts per day). If you search your maillog for crashed
	sendmail pid you can see (often, but not always) error like this:
	sm-mta[90653]: ERROR: DNS RDLENGTH=63885 > data len=2468

	Here is explanation why this can happen:
	In dns_parse_reply() sendmail builds chain of RESOURCE_RECORD_T
	structures (dynamically allocating memory for them). Due to wrong
	initialization of those structures, if sendmail gets bad dns reply
	(with actual reply size != announced reply size), it calls
	dns_free_data (sm_resolve.c:227) having rr_next field of last chain
	structure filled with garbage. In dns_free_data() sendmail trying to
	free allocated chain of structures: it's going through chain using
	rr_next pointer and stops when rr_next == NULL. Garbage in rr_next
	field cause sendmail to call free() on random addresses.
	This usually cause sendmail to crash.

	Theoretically (i'm not sure) this bug can lead to remote code
	execution.

>How-To-Repeat:
	Dont know easy ways to reproduce problem. (we need source of broken
	dns replies i guess).
>Fix:
	Use sm_resolve.c coming with sendmail 8.12.9 or use this patch:

--- sm_resolve.c.orig	Fri Jun 28 00:43:24 2002
+++ sm_resolve.c	Thu Jul 10 01:21:17 2003
@@ -233,6 +233,7 @@
 			dns_free_data(r);
 			return NULL;
 		}
+		memset(*rr, 0, sizeof(**rr));
 		(*rr)->rr_domain = sm_strdup(host);
 		if ((*rr)->rr_domain == NULL)
 		{




>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-bugs mailing list