Re: Exim 4.95 invalid free

[Evgeny Legerov <admin () vulndisco cc>]

Hi,


Here is another interesting code in Exim 4.96.

I really doubt that it is exploitable, but if someone manages to 
reproduce at least ASAN crash, it would be great.

SPF_dns_exim_new(int debug)
{


memset(spf_dns_server, 0, sizeof(SPF_dns_server_t));
spf_dns_server->destroy      = NULL;
spf_dns_server->lookup       = SPF_dns_exim_lookup;
spf_dns_server->get_spf      = NULL;
spf_dns_server->get_exp      = NULL;
spf_dns_server->add_cache    = NULL;
spf_dns_server->layer_below  = NULL;
spf_dns_server->name         = "exim";
spf_dns_server->debug        = debug;


spf_nxdomain = SPF_dns_rr_new_init(spf_dns_server,
  "", ns_t_any, 24 * 60 * 60, HOST_NOT_FOUND);
if (!spf_nxdomain)
  {
  free(spf_dns_server);
  return NULL;
  }


if SPF_dns_rr_new_init() fails, spf_dns_server will be freed with free().


regards,

-e

On 06.08.2022 22:25, Solar Designer wrote:
> On Sat, Aug 06, 2022 at 08:47:21PM +0200, Solar Designer wrote:
> > Yet I understand we cannot really ask you for more, and a brief
> > link-only heads-up is better than none.
> When I wrote the above, I didn't realize these two bugs (in zlib and
> Exim) were Evgeny's own findings.  Now that I do, I think it isn't
> unreasonable for us to ask Evgeny to include the full detail in such
> postings going forward.  We'd appreciate that, Evgeny!
>
> Alexander