"Command died with signal 10" using pipe and a C script

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

"Command died with signal 10" using pipe and a C script

Jordi Moles
hi,

and thanks in advance for your help.

I'm using a home-made script called "quota_postfix" through the "pipe"
feature of postfix.

here's how i call the C script from postfix:

master.cf:

********************************

................

# spamfilter
spamfilter      unix    -       n       n       -       20      pipe
 flags=R user=filter argv=/home/cgi-bin/antispam.pl "localhost:10027"
"antispam" "${sender}" "${recipient}" "/usr/local/bin/spamc"

# from spamfilter to smtpd:10026
localhost:10027 inet    n       -       n       -       100       smtpd
-o content_filter=quota_postfix

# quota_postfix
quota_postfix      unix    -       n       n       -       20      pipe
 flags=R user=filter argv=/usr/local/etc/postfix/quota_postfix
"localhost" "10028" "${sender}" "${recipient}" "${domain}"

# from quota_postfix to smtpd:10028
localhost:10028 inet    n       -       n       -       100       smtpd
-o content_filter=

..............................

*******************


The issue in this set-up is that sometimes, let's say, just 1 of every
200 or 300 messages gets bounced. If you have a look at the postfix's
logs, you'll see this:


************************
Aug  8 10:28:11 mail01 postfix/pipe[78884]: E0402143719:
to=<xxxx@xxxxxx, relay=quota_postfix, delay=0.21, delays=0.1/0/0/0.1,
dsn=5.3.0, status=bounced (Command died with signal 10:
"/usr/local/etc/postfix/quota_postfix")
************************

If right after that you try to send a new message to that mailbox, it
will get delivered. It seems a really random crash to me.

Anyway...

I've tried to debug my C script for some days now, and ended up doing it
"the hard way". I included some lines in the C script so that it keeps a
log of each line of code it executes before crashing.
And my surprise was that in all the crashes, it gets to the very end of it.
If you have a look at the code that follows....

*********
fprintf(file,"\nDEBUG AA, id: %i",aleatori);

return 0;
***********

these two lines are the end of the file in all the crashes, and "DEBUG
AA", "DEBUG 43" and also "DEBUG 44" are written on the file.

the communication with postfix is done by using the function
"reinjecta_mail" i've also attached.

is there anything wrong that postfix can't understand and therefore
crashes?

I was suggested that this "signal 10" could be a mistreatment of an
array or a general core dump, but from the debugging i've realised that
it gets to the end of it, so... there must be something about how i send
the message back to postfix.

I'm using postfix 2.5 on a FreeBSD 7.0 server.



*******************

int reinjecta_mail(char *portnet,char *ipnet,char *remitent,char
*victima,char *missatge,int aleatori)
{
        //Finalment, reinjectem el correu a la ip i port especificats en
els parametres
                int sock;
                struct sockaddr_in server;
                struct hostent *hp;

        //fitxer on escriurem tots els problemes generats
            FILE *file;
            file = fopen("/var/log/quota-postfix.log","a+");
                //creem un socket
                if((sock = socket (AF_INET, SOCK_STREAM, 0)) < 0)
                {
                        fprintf(file,"\n - error al crear socket per
retornar el correu.");
                        fclose(file);
                        return 0;
                }
                //li donem un nom i unes propietats
                server.sin_family = AF_INET;
                server.sin_port = htons(atoi(portnet));
                server.sin_addr.s_addr = htonl (INADDR_ANY);
                bind (sock, (struct sockaddr *) &server, sizeof (server));
                //creem la conexio
                hp = gethostbyname(ipnet);
                bcopy ( hp->h_addr, &(server.sin_addr.s_addr),
hp->h_length);
                if(connect(sock, (struct  sockaddr *)&server,
sizeof(server)) != 0)
                {
                        fprintf(file,"\n - error al fer la conexio al
postfix per retornar el correu. Port: %s IP: %s",portnet,ipnet);
                        fclose(file);
                        return 0;
                }
                //primer escribim el hola al servidor, segons el rfc de smtp
                char hola[100],resultat[100];
                strcpy(hola,"");
                strcpy(hola,"HELO localhost\r\n");
                write(sock,hola,strlen(hola));
                read(sock,resultat,100);
                strcpy(hola,"MAIL FROM:<");
                strcat(hola,remitent);
                strcat(hola,">\r\n");
                write(sock,hola,strlen(hola));
                strcpy(resultat,"");
                read(sock,resultat,100);
                strcpy(hola,"RCPT TO:<");
                strcat(hola,victima);
                strcat(hola,">\r\n");
                write(sock,hola,strlen(hola));
                strcpy(resultat,"");
                read(sock,resultat,100);
        strcpy(hola,"DATA\r\n");
                write(sock,hola,strlen(hola));
                strcpy(resultat,"");
                read(sock,resultat,100);
                //Finalment escribim el missatge a enviar
                write(sock,missatge,strlen(missatge));
                //i ara enviem una senyal de fi de missatge
                write(sock,"\r\n.\r\n",9);
                read(sock,resultat,100);
fprintf(file,"\nDEBUG 43, id: %i",aleatori);
                //tanquem la conexio
                close(sock);
fprintf(file,"\nDEBUG 44, id: %i",aleatori);
        return 0;
}

....................

int main(int argc,char *argv[],char *envp[])
{

..............

    if( espaiconsumit < espai) //si no sa passat de quota, finalment enviem
    {
        reinjecta_mail(portnet,ipnet,remitent,victima,missatge,aleatori);
fprintf(file,"\nDEBUG AA, id: %i",aleatori);  
        return 0;
    }
    else
    {
        ..............
    }

    return 0;

}



*******************



any idea how to fix this?

thanks.
Reply | Threaded
Open this post in threaded view
|

Re: "Command died with signal 10" using pipe and a C script

Wietse Venema
Jordi Moles Blanco:
> the communication with postfix is done by using the function
> "reinjecta_mail" i've also attached.
>
> is there anything wrong that postfix can't understand and therefore
> crashes?

YOUR PROGRAM crashes, not Postfix. Do not blame the messenger who
brings the bad news.

>             FILE *file;
>             file = fopen("/var/log/quota-postfix.log","a+");

What happen when fopen() does not succeed? Your program crashes
because it follows a null file pointer.

>                 //creem la conexio
>                 hp = gethostbyname(ipnet);

What happens when gethostbyname() does not succeed? Your program
crashes because it follows a null hp pointer.

>                 bcopy ( hp->h_addr, &(server.sin_addr.s_addr),
> hp->h_length);

What happens when a malicious DNS server sends a large reply?
Your program will have a buffer overflow vulnerability because
hp->h_length is larger than the server.sin_addr.s_addr buffer.


>                 strcpy(hola,"MAIL FROM:<");
>                 strcat(hola,remitent);
>                 strcat(hola,">\r\n");

What happens when the string is larger than your hola buffer?
Your program will have a buffer overflow vulnerability.

>                 strcpy(hola,"RCPT TO:<");
>                 strcat(hola,victima);
>                 strcat(hola,">\r\n");

What happens when the string is larger than your hola buffer?
Your program will have a buffer overflow vulnerability.

And so on.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: "Command died with signal 10" using pipe and a C script

Jordi Moles
hi,

>            
>             YOUR PROGRAM crashes, not Postfix. Do not blame the messenger who

I know that. I don't want to undermine anyone's work. Actually, what i
said was..... is there any bad information at all that i'm sending from
my script which makes postfix crash?


>                 strcpy(hola,"MAIL FROM:<");
>                 strcat(hola,remitent);
>                 strcat(hola,">\r\n");
>  

What happens when the string is larger than your hola buffer?
Your program will have a buffer overflow vulnerability.



uhmmmm.... i don't know about that. I agree that i don't check if, for
example, "remitent" is longer than "hola" and therefore there's an
overflow vulnerability, it's only a preliminary version of what i intend
to do with this script... but.... why is it that the script doesn't
crash at that point? I mean.... according to the log file.... even when
the script crashes... it gets to the end of the file, it doesn't stop at
that "strcat" call or any other vulnerable call.

Whenever i've used C to write scripts like that i haven't found any case
like this, when there's some wrong lines which may cause the script to
crash but it gets to the end of it anyway... that's actually the issue
that is driving me crazy.

What i'm going to do next is rewrite the whole thing so that i can avoid
this situations you pointed out, but it stills looks weird to me.

Thanks for your time.



En/na Wietse Venema ha escrit:

> Jordi Moles Blanco:
>  
>> the communication with postfix is done by using the function
>> "reinjecta_mail" i've also attached.
>>
>> is there anything wrong that postfix can't understand and therefore
>> crashes?
>>    
>
> YOUR PROGRAM crashes, not Postfix. Do not blame the messenger who
> brings the bad news.
>
>  
>>             FILE *file;
>>             file = fopen("/var/log/quota-postfix.log","a+");
>>    
>
> What happen when fopen() does not succeed? Your program crashes
> because it follows a null file pointer.
>
>  
>>                 //creem la conexio
>>                 hp = gethostbyname(ipnet);
>>    
>
> What happens when gethostbyname() does not succeed? Your program
> crashes because it follows a null hp pointer.
>
>  
>>                 bcopy ( hp->h_addr, &(server.sin_addr.s_addr),
>> hp->h_length);
>>    
>
> What happens when a malicious DNS server sends a large reply?
> Your program will have a buffer overflow vulnerability because
> hp->h_length is larger than the server.sin_addr.s_addr buffer.
>
>
>  
>>                 strcpy(hola,"MAIL FROM:<");
>>                 strcat(hola,remitent);
>>                 strcat(hola,">\r\n");
>>    
>
> What happens when the string is larger than your hola buffer?
> Your program will have a buffer overflow vulnerability.
>
>  
>>                 strcpy(hola,"RCPT TO:<");
>>                 strcat(hola,victima);
>>                 strcat(hola,">\r\n");
>>    
>
> What happens when the string is larger than your hola buffer?
> Your program will have a buffer overflow vulnerability.
>
> And so on.
>
> Wietse
>