From oleg@lath.rinet.ru  Wed Jul  9 15:48:44 2003
Return-Path: <oleg@lath.rinet.ru>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id B2EB337B401
	for <FreeBSD-gnats-submit@freebsd.org>; Wed,  9 Jul 2003 15:48:44 -0700 (PDT)
Received: from lath.rinet.ru (lath.rinet.ru [195.54.192.90])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 10BFB43FBD
	for <FreeBSD-gnats-submit@freebsd.org>; Wed,  9 Jul 2003 15:48:44 -0700 (PDT)
	(envelope-from oleg@lath.rinet.ru)
Received: by lath.rinet.ru (Postfix, from userid 222)
	id 2E12F2EF9; Thu, 10 Jul 2003 02:48:42 +0400 (MSD)
Message-Id: <20030709224842.2E12F2EF9@lath.rinet.ru>
Date: Thu, 10 Jul 2003 02:48:42 +0400 (MSD)
From: Oleg Bulyzhin <oleg@rinet.ru>
Reply-To: Oleg Bulyzhin <oleg@rinet.ru>
To: FreeBSD-gnats-submit@freebsd.org
Cc: oleg@rinet.ru
Subject: [PATCH] sendmail coredumps (sometime) when using dns map
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         54288
>Category:       bin
>Synopsis:       [PATCH] sendmail coredumps (sometime) when using dns map
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Jul 09 15:50:21 PDT 2003
>Closed-Date:    Sat Jul 12 03:14:13 PDT 2003
>Last-Modified:  Sat Jul 12 03:14:13 PDT 2003
>Originator:     Oleg Bulyzhin
>Release:        FreeBSD 4.8-RELEASE i386
>Organization:
Cronyx Plus LLC
>Environment:
System: FreeBSD lath.rinet.ru 4.8-RELEASE FreeBSD 4.8-RELEASE #0: Sat Apr 5 12:35:16 MSD 2003 root@lath.rinet.ru:/lh/obj/lh/src/sys/lath i386

	Any FreeBSD version with sendmail below 8.12.9 is affected i guess.

>Description:
	Only sendmail 8.12.8 (and previous) are affected. 8.12.9 has this bug
	fixed.

	If you are using dns maps in your sendmail.cf and have decent smtp
	traffic you can see "random" sendmail crashes.
	(problem was noticed on our primary mail relay which has about 300000
	delivery attempts per day). If you search your maillog for crashed
	sendmail pid you can see (often, but not always) error like this:
	sm-mta[90653]: ERROR: DNS RDLENGTH=63885 > data len=2468

	Here is explanation why this can happen:
	In dns_parse_reply() sendmail builds chain of RESOURCE_RECORD_T
	structures (dynamically allocating memory for them). Due to wrong
	initialization of those structures, if sendmail gets bad dns reply
	(with actual reply size != announced reply size), it calls
	dns_free_data (sm_resolve.c:227) having rr_next field of last chain
	structure filled with garbage. In dns_free_data() sendmail trying to
	free allocated chain of structures: it's going through chain using
	rr_next pointer and stops when rr_next == NULL. Garbage in rr_next
	field cause sendmail to call free() on random addresses.
	This usually cause sendmail to crash.

	Theoretically (i'm not sure) this bug can lead to remote code
	execution.

>How-To-Repeat:
	Dont know easy ways to reproduce problem. (we need source of broken
	dns replies i guess).
>Fix:
	Use sm_resolve.c coming with sendmail 8.12.9 or use this patch:

--- sm_resolve.c.orig	Fri Jun 28 00:43:24 2002
+++ sm_resolve.c	Thu Jul 10 01:21:17 2003
@@ -233,6 +233,7 @@
 			dns_free_data(r);
 			return NULL;
 		}
+		memset(*rr, 0, sizeof(**rr));
 		(*rr)->rr_domain = sm_strdup(host);
 		if ((*rr)->rr_domain == NULL)
 		{




>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->closed 
State-Changed-By: yar 
State-Changed-When: Sat Jul 12 03:06:42 PDT 2003 
State-Changed-Why:  
This PR happened to be mishandled by GNATS.  While the GNATS 
index was being repaired, the originator of this PR re-sent 
it again, with the Sendmail maintainer gshapiro@ added to CC: 
this time.  So it seems reasonable to close this PR in favour 
of the newer PR 54367. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=54288 
>Unformatted:
