logo
DATABASE RESOURCES PRICING ABOUT US

Open-Xchange: Null pointer dereference in lib-sieve after calling sieve_binary_block_index

Description

There are some places that program calls function sieve_binary_block_index without checking the return value(mainly in sieve-binary-dumper.c). Such as: ``` pigeonhole/src/lib-sieve/sieve-binary-dumper.c: bool sieve_binary_dumper_run(struct sieve_binary_dumper *dumper, struct ostream *stream, bool verbose) { struct sieve_binary *sbin = dumper->dumpenv.sbin; struct sieve_script *script = sieve_binary_script(sbin); struct sieve_dumptime_env *denv = &(dumper->dumpenv); struct sieve_binary_block *sblock; bool success = TRUE; sieve_size_t offset; int count, i; ...... ...... sieve_binary_dump_sectionf(denv, "Script metadata (block: %d)", SBIN_SYSBLOCK_SCRIPT_DATA); sblock = sieve_binary_block_get(sbin, SBIN_SYSBLOCK_SCRIPT_DATA); T_BEGIN { offset = 0; success = sieve_script_binary_dump_metadata( script, denv, sblock, &offset); } T_END; ``` Using the sieve-dump tools can produce a crash with a specially crafted sieve-binary: ``` pigeonhole/src/sieve-tools/.libs/sieve-dump -c /etc/dovecot/dovecot.conf ./1.crash * Script metadata (block: 0): sieve-dump(root): Error: sieve: binary ./1.crash: load: binary is corrupt: header of block 0 has non-matching id 1818846724 ASAN:DEADLYSIGNAL ================================================================= ==21708==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f89474bbd58 bp 0x7fff8bfc8280 sp 0x7fff8bfc8128 T0) ==21708==The signal is caused by a READ memory access. ==21708==Hint: address points to the zero page. #0 0x7f89474bbd57 in sieve_binary_block_get_binary /home/user/data/pigeonhole/src/lib-sieve/sieve-binary.c:323 #1 0x7f894748f160 in sieve_script_binary_dump_metadata /home/user/data/pigeonhole/src/lib-sieve/sieve-script.c:474 #2 0x7f894750e19e in sieve_binary_dumper_run /home/user/data/pigeonhole/src/lib-sieve/sieve-binary-dumper.c:135 #3 0x7f8947597463 in sieve_dump /home/user/data/pigeonhole/src/lib-sieve/sieve.c:503 #4 0x55908b00e891 in sieve_tool_dump_binary_to /home/user/data/pigeonhole/src/lib-sieve-tool/sieve-tool.c:615 #5 0x55908b007b5b in main /home/user/data/pigeonhole/src/sieve-tools/sieve-dump.c:85 #6 0x7f89468fbbf6 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21bf6) #7 0x55908b007fa9 in _start (/root/sieve-dump+0x3fa9) ``` The program will crash when using the null pointer returned by sieve_binary_block_index(without checking). I don't try other places, but still suggest to check the null pointer all of them. ## Impact NULL pointer will cause a crash in program using these APIs.