nmh-workers
[Top] [All Lists]

Re: [Nmh-workers] Segfault in post from mime quoted names in aliases

2017-04-12 21:48:32
I think any two group-base aliases would have triggered it.

That probably depends on the implementation of getgrnam(3) and
getgrgid(3).  Perhaps some didn't rely on gr_mem not changing.

That's true, but I did encounter that on MacOS X, which uses a
BSD-derived userland.  Johan didn't say what his operating systems
was, but I had guessed a Linux system.  I think everyone would agree
modifying the returned gr_mem pointer is majorly wrong!

I thought mh-alias(5) was doing a poor job of what `=foo' does, so I
tried to follow the code.  Here's my understanding.

`=foo' calls addgroup("foo").  addgroup() tries getgrnam("foo") and, on
failure, getgrid(atoi("foo")), the latter is undocumented.

Ah, this IS documented, though!  From mh-alias(5):

       Alias-file and file are UNIX file names.  UNIX-group is a group name or
       number from the system's group database.

If neither
succeeds then an error is returned to the caller.  That may be ignored
depending on the source of the `=foo'.

Right, but even worse ... that call always succeed!  Well, atoi() on
random text will return '0', and getgrgid(0) will probably always
succeed.  The only way you could get that routine to fail would be to do
something like =8765 and not have it be a valid group.

It then runs through the group's members and searches for each in the
`homehead' list, the "in-core" /etc/passwd.  It does not call init_pw()
first so this list may be empty.  If it finds a match then the user is
added to the alias, else the lack of a match is ignored.  Then, even
though we've done that search, getpwnam() is called to look up the user
and if found then the user is added to the alias, and appended to the
`homehead' list even though it may have already been found therein.
Over time, `homehead' accumulates duplicates.

Urrrk ... the more I look at that code, the more it gives me headaches.
I thought I understood it, but now I don't.

It occurs to me that a group cannot start with '?', so a simple solution
would be to just treat '=?' as the start of literal text; that would take
care of any RFC-2047 encoded addresses.  And of course make sure that
random text that comes after a '=' doesn't get treated as group 0.  And
maybe we can all figure out what that code does? :-)

--Ken

_______________________________________________
Nmh-workers mailing list
Nmh-workers(_at_)nongnu(_dot_)org
https://lists.nongnu.org/mailman/listinfo/nmh-workers

<Prev in Thread] Current Thread [Next in Thread>