[PATCH] Mail: fix STARTTLS misalloc

Markus Linnala Markus.Linnala at cybercom.com
Fri Sep 20 19:48:12 UTC 2013 

# HG changeset patch
# User Markus Linnala <Markus.Linnala at cybercom.com>
# Date 1379691757 -10800
#      Fri Sep 20 18:42:37 2013 +0300
# Node ID 79cea900573997a74400dcef925de41ec6c150e7
# Parent  4e7279d4c9c4181683373df3947749a7727b89a4
Mail: fix STARTTLS misalloc

Found by mail_imap.t from mdounin nginx-tests when running under valgrind.

==10647== Invalid write of size 1
==10647==    at 0x4B1493: ngx_mail_smtp_merge_srv_conf (ngx_mail_smtp_module.c:280)
==10647==    by 0x4AB363: ngx_mail_block (ngx_mail.c:209)
==10647==    by 0x4303BE: ngx_conf_parse (ngx_conf_file.c:391)
==10647==    by 0x42DF03: ngx_init_cycle (ngx_cycle.c:265)
==10647==    by 0x4206A9: main (nginx.c:333)
==10647==  Address 0x550fb84 is 0 bytes after a block of size 68 alloc'd
==10647==    at 0x4A074CD: malloc (vg_replace_malloc.c:236)
==10647==    by 0x43B251: ngx_alloc (ngx_alloc.c:22)
==10647==    by 0x421B0D: ngx_malloc (ngx_palloc.c:119)
==10647==    by 0x421B65: ngx_pnalloc (ngx_palloc.c:147)
==10647==    by 0x4B1447: ngx_mail_smtp_merge_srv_conf (ngx_mail_smtp_module.c:269)
==10647==    by 0x4AB363: ngx_mail_block (ngx_mail.c:209)
==10647==    by 0x4303BE: ngx_conf_parse (ngx_conf_file.c:391)
==10647==    by 0x42DF03: ngx_init_cycle (ngx_cycle.c:265)
==10647==    by 0x4206A9: main (nginx.c:333)
==10647==

I choose to retain extra CRLF as I could not test protocol change easily.
As per RFC 2487 there is no extra CRLF. But it was not obvious why it was
there from history.

This fixes ticket #411

diff -r 4e7279d4c9c4 -r 79cea9005739 src/mail/ngx_mail_smtp_module.c
--- a/src/mail/ngx_mail_smtp_module.c	Fri Sep 20 17:57:21 2013 +0300
+++ b/src/mail/ngx_mail_smtp_module.c	Fri Sep 20 18:42:37 2013 +0300
@@ -264,7 +264,7 @@
         last[3] = ' ';
     }
 
-    size += sizeof("250 STARTTLS" CRLF) - 1;
+    size += sizeof("250 STARTTLS" CRLF CRLF) - 1;
 
     p = ngx_pnalloc(cf->pool, size);
     if (p == NULL) {
@@ -276,8 +276,7 @@
 
     p = ngx_cpymem(p, conf->capability.data, conf->capability.len);
 
-    p = ngx_cpymem(p, "250 STARTTLS" CRLF, sizeof("250 STARTTLS" CRLF) - 1);
-    *p++ = CR; *p = LF;
+    p = ngx_cpymem(p, "250 STARTTLS" CRLF CRLF, sizeof("250 STARTTLS" CRLF CRLF) - 1);
 
     p = conf->starttls_capability.data
         + (last - conf->capability.data) + 3;

More information about the nginx-devel mailing list