7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
Sending the following bytes to the SMTP server induces a NULL pointer dereference
0x20,0x41,0xa,0xa,0x56,0x52,0x46,0x59,0x20,0x51,0x45,0xa,0x20,0xa,0x27,0xa,0x4e,0x4f,0x4f,0x50,0x20,0x45,0x45,0x22,0x46,0x59,0xa,0x80,0x44,0x41,0x54,0xa,0x42,0x44,0x41,0x20,0xf6,0xa,0x56,0x52,0x46,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x20,0xa,0x8a,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0x4a,0xa,0xa,0xa,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x20,0xa,0x8a,0xcc,0xcc,0xcc,0xcc,0x48,0xa,0x6d,0xa,0x20,0x50,0x40,0xa,0x41,0xd,0xd,0xa,0xd,0xd,0xa,0xa,0xd,0xa,0xd,0xd,0x42,0x44
Stack trace is
#0 0x109b49a57 in smtp_string_parse smtp-syntax.c:35
#1 0x109b6cdf4 in smtp_server_cmd_noop smtp-server-cmd-noop.c:19
#2 0x109b75a46 in smtp_server_command_new smtp-server-command.c:248
#3 0x109b8b139 in smtp_server_connection_handle_command smtp-server-connection.c:299
#4 0x109b8a3e3 in smtp_server_connection_handle_input smtp-server-connection.c:434
#5 0x109b89d4a in smtp_server_connection_input smtp-server-connection.c:583
#6 0x109c1378b in io_loop_call_io ioloop.c:713
#7 0x109c14970 in io_loop_call_pending ioloop.c:751
#8 0x109c14449 in io_loop_handler_run ioloop.c:766
#9 0x109c140cd in io_loop_run ioloop.c:738
#10 0x109b0cde1 in LLVMFuzzerTestOneInput fuzz-smtp-server.c:86
Indeed smtp_server_cmd_noop
calls smtp_string_parse(params, NULL, NULL)
so third parameter is NULL
The fix seems obvious as it has been done for the code just some lines before
diff --git a/src/lib-smtp/smtp-syntax.c b/src/lib-smtp/smtp-syntax.c
index 5d22445f72..43db157ded 100644
--- a/src/lib-smtp/smtp-syntax.c
+++ b/src/lib-smtp/smtp-syntax.c
@@ -32,7 +32,8 @@ int smtp_string_parse(const char *string,
return -1;
}
if (parser.cur < parser.end) {
- *error_r = "Invalid character in string";
+ if (error_r != NULL)
+ *error_r = "Invalid character in string";
return -1;
}
return 1;
A null pointer dereference induces a crash of the SMTP server
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P