Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <16331f22-c81e-fa25-3930-9c282a975e0e@vulndisco.cc>
Date: Sun, 7 Aug 2022 18:20:11 +0300
From: Evgeny Legerov <admin@...ndisco.cc>
To: oss-security@...ts.openwall.com
Subject: Re: Exim 4.95 invalid free

Hi,


Here is another interesting code in Exim 4.96.

I really doubt that it is exploitable, but if someone manages to 
reproduce at least ASAN crash, it would be great.

SPF_dns_exim_new(int debug)
{


memset(spf_dns_server, 0, sizeof(SPF_dns_server_t));
spf_dns_server->destroy      = NULL;
spf_dns_server->lookup       = SPF_dns_exim_lookup;
spf_dns_server->get_spf      = NULL;
spf_dns_server->get_exp      = NULL;
spf_dns_server->add_cache    = NULL;
spf_dns_server->layer_below  = NULL;
spf_dns_server->name         = "exim";
spf_dns_server->debug        = debug;


spf_nxdomain = SPF_dns_rr_new_init(spf_dns_server,
   "", ns_t_any, 24 * 60 * 60, HOST_NOT_FOUND);
if (!spf_nxdomain)
   {
   free(spf_dns_server);
   return NULL;
   }


if SPF_dns_rr_new_init() fails, spf_dns_server will be freed with free().


regards,

-e

On 06.08.2022 22:25, Solar Designer wrote:
> On Sat, Aug 06, 2022 at 08:47:21PM +0200, Solar Designer wrote:
>> Yet I understand we cannot really ask you for more, and a brief
>> link-only heads-up is better than none.
> When I wrote the above, I didn't realize these two bugs (in zlib and
> Exim) were Evgeny's own findings.  Now that I do, I think it isn't
> unreasonable for us to ask Evgeny to include the full detail in such
> postings going forward.  We'd appreciate that, Evgeny!
>
> Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.