Fabre

#519954 ssmtp crashes when the "rewriteDomain" option contains a "@" #519954

Package:: ssmtp

Source:: ssmtp

Description:: extremely simple MTA to get mail off the system to a mail hub

Submitter:: Christoph Enzmann

Date:: 2026-03-06 03:05:01 UTC

Severity:: normal

#519954#5

Date:: 2009-03-16 12:19:51 UTC

From:

To:

sSMTP 2.62 (Not sendmail at all)

*** glibc detected *** ssmtp: free(): invalid pointer: 0x0814e4e9 ***
======= Backtrace: =========
/lib/i686/cmov/libc.so.6[0xb7e56624]
/lib/i686/cmov/libc.so.6(cfree+0x96)[0xb7e58826]
ssmtp[0x804b2cb]
ssmtp[0x804bc41]
ssmtp[0x804c88f]
/lib/i686/cmov/libc.so.6(__libc_start_main+0xe5)[0xb7dfe455]
ssmtp[0x8049521]
======= Memory map: ========
08048000-0804f000 r-xp 00000000 08:03 1215855    /usr/sbin/ssmtp
0804f000-08050000 rw-p 00006000 08:03 1215855    /usr/sbin/ssmtp
08050000-08054000 rw-p 08050000 00:00 0
0814d000-0816e000 rw-p 0814d000 00:00 0          [heap]
b7b00000-b7b21000 rw-p b7b00000 00:00 0
b7b21000-b7c00000 ---p b7b21000 00:00 0
b7c88000-b7c94000 r-xp 00000000 08:03 1578012    /lib/libgcc_s.so.1
b7c94000-b7c95000 rw-p 0000b000 08:03 1578012    /lib/libgcc_s.so.1
b7c98000-b7ca2000 r-xp 00000000 08:03 1587487
/lib/i686/cmov/libnss_files-2.7.so
b7ca2000-b7ca4000 rw-p 00009000 08:03 1587487
//lib/i686/cmov/libnss_files-2.7.so
b7ca4000-b7cad000 r-xp 00000000 08:03 1587489
/lib/i686/cmov/libnss_nis-2.7.so
b7cad000-b7caf000 rw-p 00008000 08:03 1587489
//lib/i686/cmov/libnss_nis-2.7.so
b7caf000-b7cb6000 r-xp 00000000 08:03 1587485
/lib/i686/cmov/libnss_compat-2.7.so
b7cb6000-b7cb8000 rw-p 00006000 08:03 1587485
//lib/i686/cmov/libnss_compat-2.7.so
b7cb8000-b7cb9000 rw-p b7cb8000 00:00 0
b7cb9000-b7ccd000 r-xp 00000000 08:03 1212579    /usr/lib/libz.so.1.2.3.3
b7ccd000-b7cce000 rw-p 00013000 08:03 1212579    /usr/lib/libz.so.1.2.3.3
b7cce000-b7ccf000 rw-p b7cce000 00:00 0
b7ccf000-b7d66000 r-xp 00000000 08:03 1215867
/usr/lib/libgnutls.so.26.4.6
b7d66000-b7d6c000 rw-p 00097000 08:03 1215867
//usr/lib/libgnutls.so.26.4.6
b7d6c000-b7d6f000 r-xp 00000000 08:03 1213293
/usr/lib/libgpg-error.so.0.3.0
b7d6f000-b7d70000 rw-p 00002000 08:03 1213293
//usr/lib/libgpg-error.so.0.3.0
b7d70000-b7dd6000 r-xp 00000000 08:03 1213291
/usr/lib/libgcrypt.so.11.4.4
b7dd6000-b7dd8000 rw-p 00066000 08:03 1213291
//usr/lib/libgcrypt.so.11.4.4
b7dd8000-b7de7000 r-xp 00000000 08:03 1213321    /usr/lib/libtasn1.so.3.0.15
b7de7000-b7de8000 rw-p 0000e000 08:03 1213321    /usr/lib/libtasn1.so.3.0.15
b7de8000-b7f3d000 r-xp 00000000 08:03 1587478    /lib/i686/cmov/libc-2.7.so
b7f3d000-b7f3e000 r--p 00155000 08:03 1587478    /lib/i686/cmov/libc-2.7.so
b7f3e000-b7f40000 rw-p 00156000 08:03 1587478    /lib/i686/cmov/libc-2.7.so
b7f40000-b7f44000 rw-p b7f40000 00:00 0
b7f44000-b7f4f000 r-xp 00000000 08:03 1215868
/usr/lib/libgnutls-openssl.so.26.4.6
b7f4f000-b7f50000 rw-p 0000a000 08:03 1215868
//usr/lib/libgnutls-openssl.so.26.4.6
b7f50000-b7f65000 r-xp 00000000 08:03 1587484
/lib/i686/cmov/libnsl-2.7.so
b7f65000-b7f67000 rw-p 00014000 08:03 1587484
//lib/i686/cmov/libnsl-2.7.so
b7f67000-b7f69000 rw-p b7f67000 00:00 0
b7f6b000-b7f6e000 rw-p b7f6b000 00:00 0
b7f6e000-b7f6f000 r-xp b7f6e000 00:00 0          [vdso]
b7f6f000-b7f89000 r-xp 00000000 08:03 1577970    /lib/ld-2.7.so
b7f89000-b7f8b000 rw-p 0001a000 08:03 1577970    /lib/ld-2.7.so
bfe76000-bfe8b000 rw-p bffeb000 00:00 0          [stack]
Aborted

#519954#10

Date:: 2009-06-19 07:06:54 UTC

From:

To:

I have this problem too.
(on debian lenny)

Package: ssmtp
Priority: extra
Section: mail
Installed-Size: 0
Maintainer: Anibal Monsalve Salazar <anibal@debian.org>
Architecture: i386
Version: 2.62-3
Replaces: mail-transport-agent
Provides: mail-transport-agent
Depends: libc6 (>= 2.7-1), libgnutls26 (>= 2.4.0-0), debconf | debconf-2.0
Conflicts: mail-transport-agent
Filename: pool/main/s/ssmtp/ssmtp_2.62-3_i386.deb
Size: 50104

bug:
*** glibc detected *** ssmtp: munmap_chunk(): invalid pointer:
0x09f6a538 ***
======= Backtrace: =========
/lib/libc.so.6[0xb7df6845]
/lib/libc.so.6[0xb7df7949]
ssmtp[0x804b2cb]
ssmtp[0x804bc41]
ssmtp[0x804c88f]
/lib/libc.so.6(__libc_start_main+0xe5)[0xb7da2455]
ssmtp[0x8049521]
======= Memory map: ========
08048000-0804f000 r-xp 00000000 03:01 242509     /usr/sbin/ssmtp
0804f000-08050000 rw-p 00006000 03:01 242509     /usr/sbin/ssmtp
08050000-08054000 rw-p 08050000 00:00 0
09f69000-09f8a000 rw-p 09f69000 00:00 0          [heap]
b7c2d000-b7c39000 r-xp 00000000 03:01 468728     /lib/libgcc_s.so.1
b7c39000-b7c3a000 rw-p 0000b000 03:01 468728     /lib/libgcc_s.so.1
b7c3e000-b7c47000 r-xp 00000000 03:01 468689     /lib/libnss_files-2.7.so
b7c47000-b7c49000 rw-p 00008000 03:01 468689     /lib/libnss_files-2.7.so
b7c49000-b7c51000 r-xp 00000000 03:01 468691     /lib/libnss_nis-2.7.so
b7c51000-b7c53000 rw-p 00007000 03:01 468691     /lib/libnss_nis-2.7.so
b7c53000-b7c5a000 r-xp 00000000 03:01 468687     /lib/libnss_compat-2.7.so
b7c5a000-b7c5c000 rw-p 00006000 03:01 468687     /lib/libnss_compat-2.7.so
b7c5c000-b7c5d000 rw-p b7c5c000 00:00 0
b7c5d000-b7c71000 r-xp 00000000 03:01 194004     /usr/lib/libz.so.1.2.3.3
b7c71000-b7c72000 rw-p 00013000 03:01 194004     /usr/lib/libz.so.1.2.3.3
b7c72000-b7d09000 r-xp 00000000 03:01 194028
/usr/lib/libgnutls.so.26.4.6
b7d09000-b7d0f000 rw-p 00097000 03:01 194028
/usr/lib/libgnutls.so.26.4.6
b7d0f000-b7d10000 rw-p b7d0f000 00:00 0
b7d10000-b7d13000 r-xp 00000000 03:01 193959
/usr/lib/libgpg-error.so.0.3.0
b7d13000-b7d14000 rw-p 00002000 03:01 193959
/usr/lib/libgpg-error.so.0.3.0
b7d14000-b7d7a000 r-xp 00000000 03:01 194146
/usr/lib/libgcrypt.so.11.4.4
b7d7a000-b7d7c000 rw-p 00066000 03:01 194146
/usr/lib/libgcrypt.so.11.4.4
b7d7c000-b7d8b000 r-xp 00000000 03:01 194002     /usr/lib/libtasn1.so.3.0.15
b7d8b000-b7d8c000 rw-p 0000e000 03:01 194002     /usr/lib/libtasn1.so.3.0.15
b7d8c000-b7ec4000 r-xp 00000000 03:01 468672     /lib/libc-2.7.so
b7ec4000-b7ec5000 r--p 00138000 03:01 468672     /lib/libc-2.7.so
b7ec5000-b7ec7000 rw-p 00139000 03:01 468672     /lib/libc-2.7.so
b7ec7000-b7eca000 rw-p b7ec7000 00:00 0
b7eca000-b7ed5000 r-xp 00000000 03:01 194296
/usr/lib/libgnutls-openssl.so.26.4.6
b7ed5000-b7ed6000 rw-p 0000a000 03:01 194296
/usr/lib/libgnutls-openssl.so.26.4.6
b7ed6000-b7ee9000 r-xp 00000000 03:01 468686     /lib/libnsl-2.7.so
b7ee9000-b7eeb000 rw-p 00012000 03:01 468686     /lib/libnsl-2.7.so
b7eeb000-b7eee000 rw-p b7eeb000 00:00 0
b7ef1000-b7ef3000 rw-p b7ef1000 00:00 0
b7ef3000-b7ef4000 r-xp b7ef3000 00:00 0          [vdso]
b7ef4000-b7f0e000 r-xp 00000000 03:01 468669     /lib/ld-2.7.so
b7f0e000-b7f10000 rw-p 0001a000 03:01 468669     /lib/ld-2.7.so
bf8fa000-bf90f000 rw-p bffeb000 00:00 0          [stack]
Abandon

#519954#15

Date:: 2009-10-20 14:45:29 UTC

From:

To:

Hello,

I digged into it, and here is a fix. The problem was we use a variable aimed to be free()'d for some work on a string, thus overwriting the address we would free later. Note that without an @ in rewriteDomain, the free()'d variable p is set to zero by strrchr(), leading to a free(0) which do not make it crash but create a little memory leak.

#519954 ssmtp crashes when the "rewriteDomain" option contains a "@" #519954

Just Reply to ...

Reply to submitter ...

Send control command (Silently)

Set Architecture Tags (Silently)