[gnutls-dev] RFH gnutls related crash of exim4 on x86_64 (Bug#412886)

Andreas Metzler ametzler at downhill.at.eu.org
Tue May 15 19:15:32 CEST 2007


Ronny Adsetts has been plagued by an exim4 crash in the gnutls code
when receiving mail from a specific server. - It seems like gnutls
does not like the client certificate and crashes. The complete bug
history is on <http://bugs.debian.org/412886>, featuring strace output
and a tcpdump capture.

Ronny has been able to get the following backtrace, with the segfault
happening due to null-pointer dereferencing in _gnutls_read_uint16.

I do not know how debug this efficiently, the machine in question is
a production machine and the bug only occurs on specific third party
hosts connecting.

TIA for your help. This is gnutls 1.4.x, BTW)
cu andreas

----- Forwarded message from Ronny Adsetts <ronny.adsetts at amazinginternet.com> -----
Message-ID: <46474C1C.1040207 at amazinginternet.com>
Date: Sun, 13 May 2007 18:34:20 +0100
From: Ronny Adsetts <ronny.adsetts at amazinginternet.com>
To: 412886 at bugs.debian.org, Marc Haber <mh+debian-packages at zugschlus.de>,
	Andreas Metzler <ametzler at downhill.at.eu.org>

Hi Marc/Andreas,

I've finally managed to get a core file on this segfault:

$ sudo gdb /usr/sbin/exim4 core
GNU gdb 6.3-debian
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "x86_64-linux"...Using host libthread_db library "/l.

Core was generated by `/usr/sbin/exim4 -bd -q30m -oX 587:465:25 -oP /var/run/ex.
Program terminated with signal 11, Segmentation fault.


#0  _gnutls_read_uint16 (data=0x0) at gnutls_num.c:120
120     gnutls_num.c: No such file or directory.
        in gnutls_num.c
(gdb) bt
#0  _gnutls_read_uint16 (data=0x0) at gnutls_num.c:120
#1  0x00002ba3e841bfc9 in _gnutls_proc_rsa_client_kx (session=0x629e10,
    data=0x0, _data_size=61) at auth_rsa.c:213
#2  0x00002ba3e84171e9 in _gnutls_recv_client_kx_message (session=0x629e10)
    at gnutls_kx.c:333
#3  0x00002ba3e8412c72 in _gnutls_handshake_server (session=0x629e10)
    at gnutls_handshake.c:2259
#4  0x00002ba3e841236b in gnutls_handshake (session=0x629e10)
    at gnutls_handshake.c:1908
#5  0x00000000004604a7 in tls_server_start (require_ciphers=0x0)
    at tls-gnu.c:838
#6  0x0000000000459339 in smtp_setup_msg () at smtp_in.c:3212
#7  0x0000000000418fc3 in handle_smtp_call (listen_sockets=0x5e3cd0,
    listen_socket_count=6, accept_socket=0, accepted=0x0) at daemon.c:495
#8  0x000000000041a55c in daemon_go () at daemon.c:1815
#9  0x000000000042848b in main (argc=7, cargv=0x0) at exim.c:3922

Please let me know if you want any more information.


Ronny Adsetts
Technical Director
Amazing Internet Ltd, London
t: +44 20 8607 9535
f: +44 20 8607 9536
w: www.amazinginternet.com

Registered office: UK House, 82 Heath Road, Twickenham TW1 4BW
Registered in England. Company No. 4042957 
----- End forwarded message -----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL: </pipermail/attachments/20070515/5e74a14c/attachment.pgp>

More information about the Gnutls-devel mailing list