Segfault in opendmarc_arcseal_parse()

[minfrin]

I'm seeing a sudden crash of opendmarc as below.

Managed to catch it in a debugger.

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7f6a22ffd700 (LWP 31339)]
0x00007f6a2b270a84 in strlcpy (dst=dst@entry=0x7f6a14008749 "", src=src@entry=0x0, dsize=dsize@entry=513) at strlcpy.c:36
36				if ((*dst++ = *src++) == '\0')
(gdb) bt
#0  0x00007f6a2b270a84 in strlcpy (dst=dst@entry=0x7f6a14008749 "", src=src@entry=0x0, dsize=dsize@entry=513) at strlcpy.c:36
#1  0x000000000040c16e in opendmarc_arcseal_parse (hdr=<optimized out>, as=as@entry=0x7f6a14008240) at opendmarc-arcseal.c:201
#2  0x0000000000408673 in mlfi_eom (ctx=0x959c90) at opendmarc.c:2625
#3  0x00007f6a2bdd3535 in st_bodyend (g=g@entry=0x7f6a22ffce80) at engine.c:1614
#4  0x00007f6a2bdd38d7 in mi_engine (ctx=ctx@entry=0x959c90) at engine.c:405
#5  0x00007f6a2bdd5a08 in mi_handle_session (ctx=0x959c90) at handler.c:45
#6  0x00007f6a2bdd4549 in mi_thread_handle_wrapper (arg=<optimized out>) at listener.c:579
#7  0x00007f6a2bbb9ea5 in start_thread (arg=0x7f6a22ffd700) at pthread_create.c:307
#8  0x00007f6a2ad8cb0d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:111
(gdb) bt full
#0  0x00007f6a2b270a84 in strlcpy (dst=dst@entry=0x7f6a14008749 "", src=src@entry=0x0, dsize=dsize@entry=513) at strlcpy.c:36
        osrc = 0x0
        nleft = 512
#1  0x000000000040c16e in opendmarc_arcseal_parse (hdr=<optimized out>, as=as@entry=0x7f6a14008240) at opendmarc-arcseal.c:201
        leading_space_len = 74
        tag_label = 0x7f6a22fd81aa "b"
        token_ptr = <optimized out>
        tmp_ptr = 0x0
        token = 0x7f6a22fd8160 "i"
        tmp = "i\000\061\000 cv\000none\000 a\000rsa-sha256\000 d\000list.sys4.de\000 s\000\062\065\061\060\062\062-rsa\000\n t\000\061\066\067\070\061\071\071\065\065\065\000\n b\000UyvjKJW4/yrM8FTYMRb3BLzaJc3t9tzCsjDWSC4gI2IjEl90q3yREArPeiLbhF2qZTL5JlBbRboMzgMBVO7rffYQI+zosMgCrnmHQ+pAU0UGSVtUeYyWXsgcvYY9"...
        result = 0
        __PRETTY_FUNCTION__ = "opendmarc_arcseal_parse"
#2  0x0000000000408673 in mlfi_eom (ctx=0x959c90) at opendmarc.c:2625
        as_hdr_new = 0x7f6a14008240
        wspf = false
        c = <optimized out>
        pc = <optimized out>
        policy = <optimized out>
        status = <optimized out>
        adkim = 0
        aspf = 0
        pct = 0
        p = 0
        sp = 0
        align_dkim = 0
        align_spf = 0
        limit_arc = 0
        result = <optimized out>
        ret = <optimized out>
        ostatus = <optimized out>
        apused = <optimized out>
        apolicy = 0x0
        aresult = 0x0
        adisposition = 0x0
        hostname = 0x7f6a14005963 "server.example.com"
        authservid = 0x7f6a14005963 "server.example.com"
        spfaddr = <optimized out>
        cc = 0x7f6a140008c0
        dfc = 0x7f6a140019f0
        conf = 0x942010
        hdr = 0x7f6a140054d0
---Type <return> to continue, or q <return> to quit---
        from = <optimized out>
        as_hdr = <optimized out>
        reqhdrs_error = <optimized out>
        user = 0x7f6a22ffbd50 "postfix-devel"
        users = 0x7f6a140067c0
        domain = 0x7f6a22ffbd5e "postfix.org"
        domains = 0x7f6a14006680
        bang = <optimized out>
        ruv = <optimized out>
        header = "OpenDMARC Filter v1.4.1 server.example.com A26462295C9\000.from=apache.org", '\000' <repeats 626 times>...
        addrbuf = "postfix-devel\000postfix.org\000devel <postfix-devel@postfix.org>", '\000' <repeats 1989 times>
        replybuf = "d\205\341*j\177", '\000' <repeats 90 times>, "\020\000\000\000\060\000\000\000\060\314\377\"j\177\000\000p\313\377\"j\177", '\000' <repeats 830 times>...
        pdomain = "apache.org", '\000' <repeats 54 times>
        ar = {ares_count = 0, ares_host = '\000' <repeats 256 times>, ares_version = '\000' <repeats 256 times>, ares_result = {
            {result_props = 0, result_method = 0, result_result = 0, result_ptype = {0 <repeats 16 times>}, 
              result_reason = '\000' <repeats 256 times>, result_property = {'\000' <repeats 256 times> <repeats 16 times>}, 
              result_value = {'\000' <repeats 256 times> <repeats 16 times>}} <repeats 16 times>}}
        __PRETTY_FUNCTION__ = "mlfi_eom"
        arcares = {instance = 0, authserv_id = '\000' <repeats 256 times>, arc = '\000' <repeats 512 times>, 
          dkim = '\000' <repeats 512 times>, dmarc = '\000' <repeats 512 times>, spf = '\000' <repeats 512 times>}
        arcares_arc_field = {arcresult = '\000' <repeats 256 times>, smtpclientip = '\000' <repeats 256 times>, 
          arcchain = '\000' <repeats 512 times>}
#3  0x00007f6a2bdd3535 in st_bodyend (g=g@entry=0x7f6a22ffce80) at engine.c:1614
        r = <optimized out>
        fi_body = <optimized out>
        fi_eom = <optimized out>
#4  0x00007f6a2bdd38d7 in mi_engine (ctx=ctx@entry=0x959c90) at engine.c:405
        len = 0
        i = 4
        sd = 5
        ret = 0
        curstate = 10
        newstate = 10
        call_abort = 0
        r = -2
        cmd = 69 'E'
        buf = 0x0
        arg = {a_len = 0, a_buf = 0x0, a_idx = 5, a_ctx = 0x959c90}
        timeout = {tv_sec = 7209, tv_usec = 999999}
        f = 0x7f6a2bdd34e0 <st_bodyend>
        fi_abort = 0x406050 <mlfi_abort>
        fi_close = <optimized out>
---Type <return> to continue, or q <return> to quit---
#5  0x00007f6a2bdd5a08 in mi_handle_session (ctx=0x959c90) at handler.c:45
        ret = <optimized out>
#6  0x00007f6a2bdd4549 in mi_thread_handle_wrapper (arg=<optimized out>) at listener.c:579
No locals.
#7  0x00007f6a2bbb9ea5 in start_thread (arg=0x7f6a22ffd700) at pthread_create.c:307
        __res = <optimized out>
        pd = 0x7f6a22ffd700
        now = <optimized out>
        unwind_buf = {cancel_jmp_buf = {{jmp_buf = {140093830452992, -1895300315694036816, 1, 8392704, 3, 140093830452992, 
                1974493738560325808, 1974508550265047216}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {
              prev = 0x0, cleanup = 0x0, canceltype = 0}}}
        not_first_call = <optimized out>
        pagesize_m1 = <optimized out>
        sp = <optimized out>
        freesize = <optimized out>
#8  0x00007f6a2ad8cb0d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:111
No locals.

I see a flurry of segfaults today, not sure if this is one of those or a new one.

[minfrin]

Other segaults:

#183

[glts]

Did this crash happen with the patch from #183 applied? (The patch has been included in distros like Debian for a while.)

I haven’t experienced crashes with the patch applied. If you do see crashes even with the patch, please say exactly what commit you are using and what patches you did apply, so that we know exactly what the line numbers in the stack trace refer to.

[tachtler]

Hi,

same problem on my OpenDMARC on CentOS-7. Is there a patch for CentOS-7/EPEL available?

Thank you!
Klaus.

[Django-BOfH]

I can confirm the problem with opendmarc-daemon on CentOS 7. An update of the opendmarc package for CentOS-7/EPEL would help a lot.

[glts]

To be clear: I am not aware of any crashing bugs in current OpenDMARC 1.4.2, with the necessary patch linked above applied. The patch is included for example in current Debian or current Ubuntu. If the patch is not applied in CentOS 7/EPEL, report the issue to the maintainers of the package, not here.

[BastienDurel]

Hello. I have many of these crashes too. The patch adds NULL checks in opendmarc_arcseal_lookup(), but in my (and OP's) case, it's the opendmarc_arcseal_parse() which crashes.

It's the same problem :

		tag_label = strsep(&token_ptr, "=");
		tag_value = opendmarc_arcares_strip_whitespace(token_ptr);

strsep() may set token_ptr NULL (In case no delimiter was found, the token is taken to be the entire string *stringp, and *stringp is made NULL), which triggers the assert in opendmarc_arcares_strip_whitespace()

Any mail from postfix mailing list trigger the crash, you can try, for example, this one

root@corrin:/tmp # opendmarc -f -c /tmp/opendmarc.conf
opendmarc: opendmarc-arcares.c:104: opendmarc_arcares_strip_whitespace: Assertion `string != NULL' failed.
Abandon (core dumped)

root@corrin:/ # milter-test-server -s unix:/tmp/opendmarc.sock -m /tmp/xhmo7mg8nvx.fsf@yw-1130.YW

[KIC-8462852]

You are wrong @BastienDurel. First, there is no function opendmarc_arcseal_lookup() here. Second, the mentioned patch #183 is all about adding NULL checks precisely in opendmarc_arcseal_parse(). Did you apply the patch #183?

[BastienDurel]

You're right, I messed up my explanations. it's opendmarc_arcares_arc_parse that misses NULL check (so not the OP's crash, do I need to open a new issue ?).

I run Debian 11 package, which has the patch.

Here is the backtrace of the crash :

#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
#1  0x00007ff7740d4537 in __GI_abort () at abort.c:79
#2  0x00007ff7740d440f in __assert_fail_base (fmt=0x7ff77424b688 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=0x557ce52d31a7 "string != NULL", file=0x557ce52d316b "opendmarc-arcares.c", line=104, function=<optimized out>)
    at assert.c:92
#3  0x00007ff7740e3662 in __GI___assert_fail (assertion=assertion@entry=0x557ce52d31a7 "string != NULL", file=file@entry=0x557ce52d316b "opendmarc-arcares.c", line=line@entry=104,
    function=function@entry=0x557ce52d3260 <__PRETTY_FUNCTION__.2> "opendmarc_arcares_strip_whitespace") at assert.c:101
#4  0x0000557ce52cda44 in opendmarc_arcares_strip_whitespace (string=<optimized out>) at opendmarc-arcares.c:104
#5  opendmarc_arcares_arc_parse (hdr_arc=hdr_arc@entry=0x7ff771fc2ee5 "arc=none (Message is not ARC signed)", arc=arc@entry=0x7ff771fc29d0) at opendmarc-arcares.c:327
#6  0x0000557ce52c913f in mlfi_eom (ctx=0x557ce5a76bc0) at opendmarc.c:3734
#7  0x00007ff7742c55ec in mi_engine () from /usr/lib/x86_64-linux-gnu/libmilter.so.1.0.1
#8  0x00007ff7742c7f6e in ?? () from /usr/lib/x86_64-linux-gnu/libmilter.so.1.0.1
#9  0x00007ff77428dea7 in start_thread (arg=<optimized out>) at pthread_create.c:477
#10 0x00007ff7741ada2f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

This is a the strsep that (I think) nullifies token_ptr

OpenDMARC/opendmarc/opendmarc-arcares.c

Line 268 in 9cebf72

tag_label = strsep(&token_ptr, "=");

[KIC-8462852]

Open #242

[thegushi]

A fix for this has been submitted in PR #296 on the fix/arcseal-crashes-183-222-236 branch, which also covers the related crashes in #183, #186, #222, #236, #241, and #242.

The fix addresses two distinct crash modes:

1. SIGABRT (malformed headers with no = in a token, e.g. ARC-Seal: i=1; none): added NULL guards before strip_whitespace() is called in all three ARC parse functions.
2. SIGSEGV (RSA 3072-bit and larger key signatures producing b= values ≥512 bytes): removed the artificial 512-byte token cap from strip_whitespace() in both the arcseal and arcares parsers. Struct field sizes have also been bumped from 512 → 2048 bytes to accommodate large-key signatures without truncation.

If you are able to test against the fix/arcseal-crashes-183-222-236 branch and confirm whether it resolves your issue, that would be very helpful for getting this merged. Thank you!