bin/138121: fetchmail-6.3.11/SSL_set_fd() bad free/stack corruption

Mark Andrews marka at
Mon Aug 24 01:50:02 UTC 2009

>Number:         138121
>Category:       bin
>Synopsis:       fetchmail-6.3.11/SSL_set_fd() bad free/stack corruption
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Aug 24 01:50:00 UTC 2009
>Originator:     Mark Andrews
>Release:        FreeBSD 6.4-STABLE i386
System: FreeBSD 6.4-STABLE FreeBSD 6.4-STABLE #31: Thu Apr 30 07:41:29 EST 2009 marka at i386

fetchmail complains about a junk pointer being freed.  Trying to
chase this we get a corrupted stack calling SSL_set_fd().  I was
investigating "fetchmail -d 300" exiting unexpectedly and when I
ran "fetchmail -d 300 --nodetach" I saw the issue with free.


As root build a debugging version of fetchmail.
cd usr/ports/mail/fetchmail; make CFLAGS=-g

As a normal user.
poll proto imap ssl sslcertpath "/home/marka/.certs" sslcertck
env MALLOC_OPTIONS=A gdb /usr/ports/mail/fetchmail/work/fetchmail-6.3.11/fetchmail

(gdb) run
The program being debugged has been started already.
Start it from the beginning? (y or n) y

Starting program: /usr/ports/mail/fetchmail/work/fetchmail-6.3.11/fetchmail -d 300 --nodetach

Breakpoint 1, main (argc=4, argv=0xbfbfe78c) at fetchmail.c:151
151         int bkgd = FALSE;
(gdb) cont
fetchmail: removing stale lockfile
Enter password for marka at 
fetchmail: starting fetchmail 6.3.11 daemon 

Breakpoint 2, query_host (ctl=0x808b600) at fetchmail.c:1431
1431        int st = 0;
(gdb) cont

Breakpoint 3, doIMAP (ctl=0x808b600) at imap.c:1327
1327        return(do_protocol(ctl, &imap));

Breakpoint 4, do_session (ctl=0x808b600, proto=0x807e0c0, maxfetch=0)
    at driver.c:1107
1107            if (ctl->use_ssl &&

Breakpoint 5, SSLOpen (sock=3, mycert=0x0, mykey=0x0, myproto=0x0, certck=1, 
    certpath=0x8089180 "/home/marka/.certs", fingerprint=0x0, 
    servercname=0x808f190 "", 
    label=0x808f190 "", remotename=0x808b688) at socket.c:930
930             if (SSL_set_fd(_ssl_context[sock], sock) == 0 
(gdb) step
fetchmail in free(): error: junk pointer, too high to make sense

Program received signal SIGABRT, Aborted.
0x282c6d7b in kill () from /lib/
(gdb) where
#0  0x282c6d7b in kill () from /lib/
#1  0x282c6d18 in raise () from /lib/
#2  0x282c5a28 in abort () from /lib/
#3  0x282625af in _UTF8_init () from /lib/
#4  0xbfbfe8e0 in ?? ()
#5  0x282ccd33 in sys_nsig () from /lib/
#6  0x282ccc33 in sys_nsig () from /lib/
#7  0x282ccd50 in sys_nsig () from /lib/
#8  0x00000000 in ?? ()
#9  0x282d8140 in ?? () from /lib/
#10 0xbfbfb858 in ?? ()
#11 0x282625dd in _UTF8_init () from /lib/
#12 0x282d8140 in ?? () from /lib/
#13 0x0808098c in _CurrentRuneLocale ()
#14 0xbfbfb908 in ?? ()
#15 0x2826333d in _UTF8_init () from /lib/
#16 0x281bc980 in ASN1_STRING_to_UTF8 () from /lib/
Previous frame inner to this frame (corrupt stack?)



