git.ipfire.org Git - thirdparty/rspamd.git/commit

author	Vsevolod Stakhov <vsevolod@rspamd.com>
	Thu, 30 Apr 2026 07:32:28 +0000 (08:32 +0100)
committer	Vsevolod Stakhov <vsevolod@rspamd.com>
	Thu, 30 Apr 2026 07:32:28 +0000 (08:32 +0100)
commit	cb9361e9fed0eabd91d32eb014bf1e62800f502c
tree	e66b98426aa8a002b58023626ee79e616d3abc05	tree \| snapshot
parent	6a174a860602e43d6c4867db176abca6a62e82ed	commit \| diff

[CritFix] mime_parser: avoid NULL deref on SMIME with empty pkcs7-data

When an S/MIME signed message wraps an inner pkcs7-data with a zero-length
OCTET STRING, the SMIME inner-content extraction in rspamd_mime_parse_normal_part
allocated a zero-length buffer and recursed into rspamd_mime_process_multipart_node
with start/end pointing at NULL (g_malloc(0) returns NULL under always_malloc
mempool mode), causing a SIGSEGV at the first byte check.

Fix:
- Skip the SMIME inner recursion when the encapsulated OCTET STRING is empty
  or has a NULL data pointer.
- Add a defensive guard at the top of rspamd_mime_process_multipart_node to
  return RSPAMD_MIME_PARSE_NO_PART for NULL or empty buffers, protecting any
  other caller from the same UB.

Add a Lua regression test that exercises the SMIME-empty path through
rspamd_message_parse. With VALGRIND=1 (forcing always_malloc) the test
reliably reproduced the crash before the fix.

src/libmime/mime_parser.c		diff \| blob \| blame \| history
test/lua/unit/mime_smime_empty.lua	[new file with mode: 0644]	blob