SMTP: No state update for bad BDAT commands

OSS-Fuzz found that providing an invalid BDAT line would tickle an assert in UpdateState(). The BDAT state was never initialized, but within UpdateState() that was expected. This also removes the AnalyzerViolation() call for bad BDAT commands and instead raises a weird. The SMTP analyzer is very lax and not triggering the violation allows to parse the server's response to such an invalid command. PCAP files produced by a custom Python SMTP client against Postfix.
2025-10-13 03:58:20 +00:00 · 2024-01-15 16:44:49 +01:00 · 2024-01-15 16:44:49 +01:00 · ae2a5c83a4
commit ae2a5c83a4
parent 5ad11e00e3
7 changed files with 134 additions and 25 deletions
--- a/testing/btest/Baseline/scripts.base.protocols.smtp.bdat-cmd-invalid/out
+++ b/testing/btest/Baseline/scripts.base.protocols.smtp.bdat-cmd-invalid/out
@ -0,0 +1,58 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+smtp_reply, CHhAvVGS1DHFjwGM9, F, 220, >, example.com ESMTP Postfix (Debian/GNU)
+smtp_request, CHhAvVGS1DHFjwGM9, T, EHLO, localhost
+smtp_reply, CHhAvVGS1DHFjwGM9, F, 250, EHLO, example.com
+smtp_reply, CHhAvVGS1DHFjwGM9, F, 250, EHLO, PIPELINING
+smtp_reply, CHhAvVGS1DHFjwGM9, F, 250, EHLO, SIZE 10240000
+smtp_reply, CHhAvVGS1DHFjwGM9, F, 250, EHLO, ETRN
+smtp_reply, CHhAvVGS1DHFjwGM9, F, 250, EHLO, STARTTLS
+smtp_reply, CHhAvVGS1DHFjwGM9, F, 250, EHLO, ENHANCEDSTATUSCODES
+smtp_reply, CHhAvVGS1DHFjwGM9, F, 250, EHLO, 8BITMIME
+smtp_reply, CHhAvVGS1DHFjwGM9, F, 250, EHLO, DSN
+smtp_reply, CHhAvVGS1DHFjwGM9, F, 250, EHLO, SMTPUTF8
+smtp_reply, CHhAvVGS1DHFjwGM9, F, 250, EHLO, CHUNKING
+smtp_request, CHhAvVGS1DHFjwGM9, T, MAIL, FROM:<zeek@localhost>
+smtp_reply, CHhAvVGS1DHFjwGM9, F, 250, MAIL, 2.1.0 Ok
+smtp_request, CHhAvVGS1DHFjwGM9, T, RCPT, TO:<root@localhost>
+smtp_reply, CHhAvVGS1DHFjwGM9, F, 250, RCPT, 2.1.5 Ok
+smtp_request, CHhAvVGS1DHFjwGM9, T, BDAT, 
+smtp_reply, CHhAvVGS1DHFjwGM9, F, 521, BDAT, 5.5.4 Syntax: BDAT count [LAST]
+smtp_request, CHhAvVGS1DHFjwGM9, T, QUIT, 
+smtp_reply, ClEkJM2Vm5giqnMf4h, F, 220, >, example.com ESMTP Postfix (Debian/GNU)
+smtp_request, ClEkJM2Vm5giqnMf4h, T, EHLO, localhost
+smtp_reply, ClEkJM2Vm5giqnMf4h, F, 250, EHLO, example.com
+smtp_reply, ClEkJM2Vm5giqnMf4h, F, 250, EHLO, PIPELINING
+smtp_reply, ClEkJM2Vm5giqnMf4h, F, 250, EHLO, SIZE 10240000
+smtp_reply, ClEkJM2Vm5giqnMf4h, F, 250, EHLO, ETRN
+smtp_reply, ClEkJM2Vm5giqnMf4h, F, 250, EHLO, STARTTLS
+smtp_reply, ClEkJM2Vm5giqnMf4h, F, 250, EHLO, ENHANCEDSTATUSCODES
+smtp_reply, ClEkJM2Vm5giqnMf4h, F, 250, EHLO, 8BITMIME
+smtp_reply, ClEkJM2Vm5giqnMf4h, F, 250, EHLO, DSN
+smtp_reply, ClEkJM2Vm5giqnMf4h, F, 250, EHLO, SMTPUTF8
+smtp_reply, ClEkJM2Vm5giqnMf4h, F, 250, EHLO, CHUNKING
+smtp_request, ClEkJM2Vm5giqnMf4h, T, MAIL, FROM:<zeek@localhost>
+smtp_reply, ClEkJM2Vm5giqnMf4h, F, 250, MAIL, 2.1.0 Ok
+smtp_request, ClEkJM2Vm5giqnMf4h, T, RCPT, TO:<root@localhost>
+smtp_reply, ClEkJM2Vm5giqnMf4h, F, 250, RCPT, 2.1.5 Ok
+smtp_request, ClEkJM2Vm5giqnMf4h, T, BDAT, 1234 SCRAMBLE
+smtp_reply, ClEkJM2Vm5giqnMf4h, F, 521, BDAT, 5.5.4 Syntax: BDAT count [LAST]
+smtp_request, ClEkJM2Vm5giqnMf4h, T, QUIT, 
+smtp_reply, C4J4Th3PJpwUYZZ6gc, F, 220, >, example.com ESMTP Postfix (Debian/GNU)
+smtp_request, C4J4Th3PJpwUYZZ6gc, T, EHLO, localhost
+smtp_reply, C4J4Th3PJpwUYZZ6gc, F, 250, EHLO, example.com
+smtp_reply, C4J4Th3PJpwUYZZ6gc, F, 250, EHLO, PIPELINING
+smtp_reply, C4J4Th3PJpwUYZZ6gc, F, 250, EHLO, SIZE 10240000
+smtp_reply, C4J4Th3PJpwUYZZ6gc, F, 250, EHLO, ETRN
+smtp_reply, C4J4Th3PJpwUYZZ6gc, F, 250, EHLO, STARTTLS
+smtp_reply, C4J4Th3PJpwUYZZ6gc, F, 250, EHLO, ENHANCEDSTATUSCODES
+smtp_reply, C4J4Th3PJpwUYZZ6gc, F, 250, EHLO, 8BITMIME
+smtp_reply, C4J4Th3PJpwUYZZ6gc, F, 250, EHLO, DSN
+smtp_reply, C4J4Th3PJpwUYZZ6gc, F, 250, EHLO, SMTPUTF8
+smtp_reply, C4J4Th3PJpwUYZZ6gc, F, 250, EHLO, CHUNKING
+smtp_request, C4J4Th3PJpwUYZZ6gc, T, MAIL, FROM:<zeek@localhost>
+smtp_reply, C4J4Th3PJpwUYZZ6gc, F, 250, MAIL, 2.1.0 Ok
+smtp_request, C4J4Th3PJpwUYZZ6gc, T, RCPT, TO:<root@localhost>
+smtp_reply, C4J4Th3PJpwUYZZ6gc, F, 250, RCPT, 2.1.5 Ok
+smtp_request, C4J4Th3PJpwUYZZ6gc, T, BDAT, SCRAMBLE
+smtp_reply, C4J4Th3PJpwUYZZ6gc, F, 521, BDAT, 5.5.4 Syntax: BDAT count [LAST]
+smtp_request, C4J4Th3PJpwUYZZ6gc, T, QUIT, 
--- a/testing/btest/Baseline/scripts.base.protocols.smtp.bdat-cmd-invalid/smtp.log
+++ b/testing/btest/Baseline/scripts.base.protocols.smtp.bdat-cmd-invalid/smtp.log
@ -0,0 +1,13 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	smtp
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	helo	mailfrom	rcptto	date	from	to	cc	reply_to	msg_id	in_reply_to	subject	x_originating_ip	first_received	second_received	last_reply	path	user_agent	tls	fuids
+#types	time	string	addr	port	addr	port	count	string	string	set[string]	string	string	set[string]	set[string]	string	string	string	string	addr	string	string	string	vector[addr]	string	bool	vector[string]
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	33472	127.0.0.1	25	1	localhost	zeek@localhost	root@localhost	-	-	-	-	-	-	-	-	-	-	-	521 5.5.4 Syntax: BDAT count [LAST]	127.0.0.1,127.0.0.1	-	F	(empty)
+XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	127.0.0.1	52364	127.0.0.1	25	1	localhost	zeek@localhost	root@localhost	-	-	-	-	-	-	-	-	-	-	-	521 5.5.4 Syntax: BDAT count [LAST]	127.0.0.1,127.0.0.1	-	F	(empty)
+XXXXXXXXXX.XXXXXX	C4J4Th3PJpwUYZZ6gc	127.0.0.1	46862	127.0.0.1	25	1	localhost	zeek@localhost	root@localhost	-	-	-	-	-	-	-	-	-	-	-	521 5.5.4 Syntax: BDAT count [LAST]	127.0.0.1,127.0.0.1	-	F	(empty)
+#close XXXX-XX-XX-XX-XX-XX
--- a/testing/btest/Baseline/scripts.base.protocols.smtp.bdat-cmd-invalid/weird.log
+++ b/testing/btest/Baseline/scripts.base.protocols.smtp.bdat-cmd-invalid/weird.log
@ -0,0 +1,13 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	weird
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer	source
+#types	time	string	addr	port	addr	port	string	string	bool	string	string
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	33472	127.0.0.1	25	smtp_invalid_bdat_command	BDAT not followed by a valid chunk-size	F	zeek	SMTP
+XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	127.0.0.1	52364	127.0.0.1	25	smtp_invalid_bdat_command	BDAT chunk-size followed by junk	F	zeek	SMTP
+XXXXXXXXXX.XXXXXX	C4J4Th3PJpwUYZZ6gc	127.0.0.1	46862	127.0.0.1	25	smtp_invalid_bdat_command	BDAT not followed by a valid chunk-size	F	zeek	SMTP
+#close XXXX-XX-XX-XX-XX-XX