Crashes when connecting to server that requires STARTTLS

Attached is output from the test-lm command (from the loudmouth source) with the patch installed.

Thanks for your bug report and your patch, I forwarded the issue upstream: http://developer.imendio.com/issues/browse/LM-62

Uploaded the workaround:

 loudmouth (1.1.4-0ubuntu2) edgy; urgency=low
 .
   * debian/patches/01-workaround_0_connection_data.patch:
     - workaround connection_data->fd == 0. (works around Malone: #64372),
       thanks a lot Johan Kiviniemi <email address hidden>

I will keep the bug open until it is fixed upstream.

i don't know but seems I still have it while using 1.1.4-0ubuntu3

This should now work in the upcoming 1.3.1 unstable version.

This patch is an ugly hack because it still relies on reading free()'d memory to detect the symptom of the bug - the attached patch should fix the real problem. In some connection failure paths, _lm_connection_failed_with_error was being called and kicking off a second connection attempt (eg falling back to an IPv4 address if IPv6 has failed), but then the source ID was being overwritten, meaning the source wasn't destroyed, so the callback was still being called after connect_data had been freed. I guess at some point in the past _lm_connection_failed_with_error didn't exist or do retries, so zeroing out the source ID was a reasonable thing to do in case of failure. I've also added some asserts which should trigger if my understanding of the problem and solution are wrong, and these don't trigger on my machine in either the failure or success cases. I'd recommend pushing this into updates for any supported distribution you ship with 1.2.x.

I subscribed Kees.

Kees: could you please confirm this is a security issue? If yes, then we probably need to address it in gutsy, probably feisty as well; no idea for older releases; what do you think?

Hi, which side of the communication is crashing? (is it the client or the server that crashes?) From the report, it seems like this is the client, in which case I would not consider this a security issue.

The client crashes, I don't think it's a security risk because it's not a double free, just dereferencing free'd memory, and doesn't /usually/ crash because with the original patch, it finds the invalid memory and returns from the function. It's only worth an update because I think that examining memory which has been freed is obviously wrong and I think it can still crash in some cases; it's not a security problem.

could someone confirm this bug is fixed?

Fixed in 8.10 alpha.