Security tests#20
Open
sayrer wants to merge 4 commits into
Open
Conversation
Two reproducers for memory safety issues found during audit: - master_sig_test.c: Demonstrates heap corruption when a signal handler calls non-async-safe functions (msg_info/msg_fatal) during malloc. Reproduces the master_sigdeath() bug in master_sig.c. Run with DYLD_INSERT_LIBRARIES=/usr/lib/libgmalloc.dylib for reliable detection (~21% crash rate). - recipient_list_test.c: Demonstrates integer overflow in recipient_list_add() when avail exceeds INT_MAX/2. The expression avail * 2 overflows, producing a bogus allocation size. Crashes deterministically. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
vbuf_print() dereferences NULL when a %s format argument is NULL, causing SIGSEGV. Standard printf prints "(null)" for NULL %s args; Postfix's vbuf_print does VBUF_STRCAT(bp, s) without checking. This crashes in production when error-handling code in mail_params_init() calls msg_fatal() with var_config_dir as a %s argument before var_config_dir is initialized. Found by running the existing mail_addr_find test under AddressSanitizer. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
tls_cert_fprint() passes the return value of i2d_X509() directly to mymalloc() without checking for errors. i2d_X509() returns -1 (OpenSSL 1.x) or 0 (OpenSSL 3.x) on error. Both values cause mymalloc() to panic (len < 1), crashing the smtpd process. This is remotely triggerable: a client presents a malformed TLS certificate during STARTTLS, smtpd calls tls_cert_fprint() at tls_server.c:1053 to fingerprint the peer cert, i2d_X509 fails, and smtpd crashes. The same pattern exists in tls_pkey_fprint() and in tls_dane.c:1144. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
When a MITM replaces the server's "220 Ready to start TLS" response with "454 TLS not available", the SMTP client falls back to plaintext (at security level "may"). The AUTH feature from the pre-STARTTLS EHLO persists, causing the client to send SASL credentials (AUTH PLAIN/LOGIN) in cleartext — directly to the attacker. The fix strips SMTP_FEATURE_AUTH and cleans up the SASL mechanism list after the server rejects STARTTLS. This prevents credential transmission over a connection that was supposed to be encrypted. The HAVE_SASL_CREDENTIALS check in PLAINTEXT_FALLBACK_OK_AFTER_ STARTTLS_FAILURE does not protect this path because that macro only governs the TLS handshake failure retry (RETRY_AS_PLAINTEXT). The 454 path never triggers a retry — it continues on the same plaintext connection. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.