rfc822 group recipient parsing leaks memory
Hello, rfc822 describes "group" support in section 6.2.6. The RFC says:
While a list must be named, it is not required that the contents of the list be included. In this case, the
<address>
serves only as an indication of group distribution and would appear in the form:
name:;
Mutt supports this syntax, but there's a bug. If you don't specify the name, mutt leaks 40 bytes of memory for every empty group terminator.
I'm reporting this as a security issue, but you don't have to treat it as one if you don't want to. It's better to click confidential and you decide you don't care, than not click it and you be angry with me!
I guess an attacker could send someone a 25MB mail that leaks 1GB (25 megabytes * 40 = 1 gigabyte) of memory. If you send enough mails, you can prevent someone from opening their mailbox.
Reproduce
Download this file: rfc822_parse_adrlist.txt
$ mutt -F /dev/null -f rfc822_parse_adrlist.txt
Details
For every ;
character in either a From:
or Cc:
header, 40bytes are leaked.
Bug
If you use ASAN, you should see this:
Direct leak of 40 byte(s) in 1 object(s) allocated from:
#0 0x7f31bc68ddc6 in calloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10ddc6)
#1 0x7f31bd220af1 in safe_calloc /home/taviso/tmp/mutt/mutt/lib.c:136
#2 0x7f31bd1c7970 in rfc822_parse_adrlist /home/taviso/tmp/mutt/mutt/rfc822.c:590
#3 0x7f31bd18cbc0 in mutt_parse_rfc822_line /home/taviso/tmp/mutt/mutt/parse.c:1264
#4 0x7f31bd18ec8d in mutt_read_rfc822_header /home/taviso/tmp/mutt/mutt/parse.c:1665
#5 0x7f31bd13a717 in mbox_parse_mailbox /home/taviso/tmp/mutt/mutt/mbox.c:332
#6 0x7f31bd13b846 in mbox_open_mailbox /home/taviso/tmp/mutt/mutt/mbox.c:461
#7 0x7f31bd1619ba in mx_open_mailbox /home/taviso/tmp/mutt/mutt/mx.c:656
#8 0x7f31bd13807b in main /home/taviso/tmp/mutt/mutt/main.c:1332
#9 0x7f31bc3370b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)