OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: PATCH: cleanup die with long recipient address
From: Wietse Venema (wietseporcupine.org)
Date: Sat Sep 16 2000 - 20:30:18 CDT

[signal 11 in cleanup]

adi:
> I don't think that my problem was hardware related problem. Anyway, I
> could reproduce my problem on my home machine. I've setup 2 dummy
> interfaces and bind postfix and qmail to those interfaces.

Thanks for minimizing the conditions needed for reconstruction.
With this, Purify immediately pointed out to me what was wrong.

When propagating an address extension in a virtual or canonical
mapping, cleanup accesses memory that is no longer allocated. This
can happen when the result address length is more than 100 characters.

Below is a patch. I'll do an official 19991231-pl09 release over
the weekend that also includes a couple fixes that were already
part of snapshot releases.

        Wietse

diff -bcr ../postfix-19991231-pl08/global/mail_addr_crunch.c global/mail_addr_crunch.c
*** ../postfix-19991231-pl08/global/mail_addr_crunch.c Sun Apr 25 18:05:41 1999
--- global/mail_addr_crunch.c Sat Sep 16 18:39:16 2000
***************
*** 88,93 ****
--- 88,94 ----
                  vstring_strcat(canon_addr, extension);
              } else {
                  VSTRING_SPACE(canon_addr, extlen + 1);
+ ratsign = strrchr(STR(canon_addr), '');
                  memmove(ratsign + extlen, ratsign, strlen(ratsign) + 1);
                  memcpy(ratsign, extension, extlen);
                  VSTRING_SKIP(canon_addr);