Closed Bug 500534 Opened 15 years ago Closed 15 years ago

Crash @ [nsImapServerResponseParser::mailbox] with bogus IMAP server

Categories

(MailNews Core :: Networking: IMAP, defect)

Product:
MailNews Core
Component:
Networking: IMAP
Version:
1.8 Branch
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

(Not tracked)

Status:
RESOLVED DUPLICATE of bug 376192

People

(Reporter: bsterne, Unassigned)

Details

(Keywords: crash)

Attachments

(1 file)

IMAP server script
2.13 KB, text/plain
Details
Attached file IMAP server script
Steve Kemp <steve@steve.org.uk> reported this issue to security@m.o. I wrote a Python script to emulate the server behavior that the produces the crash in case he needs to take down his test server. This crashes Thunderbird 2 but doesn't appear to crash Shredder. To reproduce: 1. Grab the attachment server.py 2. sudo ./server.py (needs root to bind to port 143) 3. Run Thunderbird 2 and set up a IMAP account with localhost as your Incoming Server 4. Enter a password when you are prompted and witness the crash This is a null dereference crash, but I'm going to hide it initially because I know nothing about the surrounding code. Feel free to unhide if this is a safe crash. In the stack trace below you can see that boxSpec->connection->GetCurrentUrl() is null when it is dereferenced. Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 0xb1bebb90 (LWP 14059)] 0xb6cb9413 in nsImapServerResponseParser::mailbox (this=0x9882f3c, boxSpec=0x9467fb0) at /build/tb2/mozilla/mailnews/imap/src/nsImapServerResponseParser.cpp:964 964 boxSpec->connection->GetCurrentUrl()->AllocateCanonicalPath(boxname, boxSpec->hierarchySeparator, &boxSpec->allocatedPathName); (gdb) p boxSpec $1 = (class nsImapMailboxSpec *) 0x9467fb0 (gdb) p boxSpec->connection $2 = (class nsImapProtocol *) 0x9882d88 (gdb) p boxSpec->connection->GetCurrentUrl $3 = {class nsIImapUrl *( nsImapProtocol *)} 0xb6cafedc <nsImapProtocol::GetCurrentUrl()> (gdb) p boxSpec->connection->GetCurrentUrl() [Thread 0xb450cb90 (LWP 14057) exited] [Thread 0xb23ecb90 (LWP 14060) exited] $4 = (class nsIImapUrl *) 0x0 This is preceded by the assertion: ###!!! ASSERTION: box spec has connection with null url: 'boxSpec->connection->GetCurrentUrl()', file /build/tb2/mozilla/mailnews/imap/src/nsImapServerResponseParser.cpp, line 961
Component: General → Networking: IMAP
Product: Thunderbird → MailNews Core
QA Contact: general → networking.imap
Version: 2.0 → 1.8 Branch
this is a dup of bug 376192 - I'll nominate that fix for 1.8.1 next...afaik, it's a safe crash.
Group: core-security
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → DUPLICATE
even closed bugs should get keyword(s), severity, etc appropriate to bug description
Severity: normal → critical
Keywords: crash
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: