sendmail 8.14 has a serious memory corruption bug in it
Matthew Dillon
dillon at apollo.backplane.com
Mon Feb 18 11:49:52 PST 2008
Matthias reported that leaf's sendmail had stopped working. I tracked
it down to a bug in sendmail in:
/usr/src/contrib/sendmail-8.14/sendmail/main.c line 2545
It is freeing MainEnvelope's memory pool and then calling newenvelope()
with MainEnvelope as the 'parent'. If the backing store is actually
freed (which it is in DragonFly), this causes a core dump.
/* at this point we are in a child: reset state */
sm_rpool_free(MainEnvelope.e_rpool);
(void) newenvelope(&MainEnvelope, &MainEnvelope,
sm_rpool_new_x(NULL));
I think the code needs to be:
/* at this point we are in a child: reset state */
{
SM_RPOOL_T *opool = MainEnvelope.e_rpool;
(void) newenvelope(&MainEnvelope, &MainEnvelope,
sm_rpool_new_x(NULL));
sm_rpool_free(opool);
}
I am making this change in our CVS. I'm not sure why it is showing up
now, 8.14 was brought in in november.
I have reported the bug to the sendmail folks.
-Matt
More information about the Kernel
mailing list