* Fix 2 memory issues:

 - NULL string when trying to check url regexp
 - double free of message byte array as mime_stream frees memory in array if it thinks that stream is
   owner of array's memory

diff --git a/src/message.c b/src/message.c
index 7d30f53f9e27b1f71d9fc5a038894166add646c2..c2acaa0cd8ffd214797159bf752fed839c7d5097 100644 (file)
--- a/src/message.c
+++ b/src/message.c
@@ -335,12 +335,23 @@ process_message (struct worker_task *task)
        tmp->data = task->msg->begin;
        tmp->len = task->msg->len;
        stream = g_mime_stream_mem_new_with_byte_array (tmp);
+       /* 
+        * This causes g_mime_stream not to free memory by itself as it is memory allocated by
+        * pool allocator
+        */
+       g_mime_stream_mem_set_owner (stream, FALSE);
+
        msg_debug ("process_message: construct mime parser from string length %ld", (long int)task->msg->len);
        /* create a new parser object to parse the stream */
        parser = g_mime_parser_new_with_stream (stream);
 
        /* parse the message from the stream */
        message = g_mime_parser_construct_message (parser);
+
+       if (message == NULL) {
+               msg_warn ("process_message: cannot construct mime from stream");
+               return -1;
+       }
        
        task->message = message;
        memory_pool_add_destructor (task->task_pool, (pool_destruct_func)g_object_unref, task->message);
@@ -443,6 +454,11 @@ process_learn (struct controller_session *session)
        tmp->data = session->learn_buf->begin;
        tmp->len = session->learn_buf->len;
        stream = g_mime_stream_mem_new_with_byte_array (tmp);
+       /* 
+        * This causes g_mime_stream not to free memory by itself as it is memory allocated by
+        * pool allocator
+        */
+       g_mime_stream_mem_set_owner (stream, FALSE);
 
        /* create a new parser object to parse the stream */
        parser = g_mime_parser_new_with_stream (stream);

diff --git a/src/url.c b/src/url.c
index 6a8106b205a7909e108153508a79185d25fd41c4..c2575f3c8af5b7efa85b99e38821702001d5eb17 100644 (file)
--- a/src/url.c
+++ b/src/url.c
@@ -859,6 +859,11 @@ url_parse_text (struct worker_task *task, GByteArray *content)
        int rc;
        char *url_str = NULL;
        struct uri *new;
+       
+       if (!content->data || content->len == 0) {
+               msg_warn ("url_parse_text: got empty text part");
+               return;
+       }
 
        if (url_init () == 0) {
                do {
@@ -905,6 +910,11 @@ url_parse_html (struct worker_task *task, GByteArray *content)
        char *url_str = NULL;
        struct uri *new;
 
+       if (!content->data || content->len == 0) {
+               msg_warn ("url_parse_text: got empty text part");
+               return;
+       }
+
        if (url_init () == 0) {
                do {
                        rc = g_regex_match_full (html_re, (const char *)content->data, content->len, pos, 0, &info, &err);

diff --git a/src/worker.c b/src/worker.c
index 53a4db087182895f113eb5ba700e5c52aaff4c65..6c3b245c5bcedd0c87e54ef5f2f34f8ea58b1356 100644 (file)
--- a/src/worker.c
+++ b/src/worker.c
@@ -146,6 +146,13 @@ read_socket (f_str_t *in, void *arg)
                        task->msg = in;
                        msg_debug ("read_socket: got string of length %ld", (long int)task->msg->len);
                        r = process_message (task);
+            if (r == -1) {
+                msg_warn ("read_socket: processing of message failed");
+                               task->last_error = "MIME processing error";
+                               task->error_code = RSPAMD_FILTER_ERROR;
+                               task->state = WRITE_ERROR;
+                               write_socket (task);
+            }
                        r = process_filters (task);
                        if (r == -1) {
                                task->last_error = "Filter processing error";