dovecot - Mar 2008 - dovecot-1.1.rc3 segmentation fault in fetch_bodystructure

Hi,
another imap crash with latest dovecot.

segmentation fault in fetch_bodystructure

src/imap/imap-fetch.c
static int fetch_bodystructure(struct imap_fetch_context *ctx,
                               struct mail *mail, void *context ATTR_UNUSED)
{
        const char *bodystructure;

        if (mail_get_special(mail, MAIL_FETCH_IMAP_BODYSTRUCTURE,
                             &bodystructure) < 0)
                return -1;

---> before the segfault here we have bodystructure=0 and
mail_get_special returns >=0
[..]

        if (o_stream_send(ctx->client->output, "BODYSTRUCTURE
(", 15) < 0 ||
/*line 461*/      o_stream_send_str(ctx->client->output, bodystructure)
< 0 ||

---> here o_stream_send_str calls strlen(bodystructure=0), and strlen
tries to access "Address 0x0" causing a segfault

--
 Address 0x0 is not stack'd, malloc'd or (recently) free'd
Process terminating with default action of signal 11 (SIGSEGV): dumping core
 Access not within mapped region at address 0x0
   at: strlen
   by: o_stream_send_str (ostream.c:163)
   by: fetch_bodystructure (imap-fetch.c:461)
   by: imap_fetch (imap-fetch.c:309)
   by: cmd_fetch (cmd-fetch.c:154)
   by: client_command_input (client.c:546)
   by: client_command_input (client.c:595)
   by: client_handle_input (client.c:636)
   by: client_input (client.c:691)
   by: io_loop_handler_run (ioloop-epoll.c:201)
   by: io_loop_run (ioloop.c:301)
   by: main (main.c:293)

On Tue, 2008-03-11 at 08:54 +0100, Diego Liziero wrote:
> Hi,
> another imap crash with latest dovecot.
> 
> segmentation fault in fetch_bodystructure
Well, I'm not sure how you managed to cause this, but this should fix
it: http://hg.dovecot.org/dovecot-1.1/rev/7e27d67d3abe
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL:
<http://dovecot.org/pipermail/dovecot/attachments/20080311/f1af665b/attachment-0002.bin>

On Tue, Mar 11, 2008 at 9:09 AM, Timo Sirainen <tss at iki.fi>
wrote:
>
>  Well, I'm not sure how you managed to cause this, but this should fix
>  it: http://hg.dovecot.org/dovecot-1.1/rev/7e27d67d3abe
Thank you Timo for the quick fix,
here we have latest rc3 in a production environment.
It has been used by over 600 users in the last 2 days.

The most failing assertion (9694 times in 2 days) is the one I posted yesterday:
Panic: IMAP(username): file index-sync.c: line 39
(index_mailbox_set_recent_uid): assertion failed:
(seq_range_exists(&ibox->recent_flags, uid))

It happens when users are moving messages to Trash folder with thunderbird.
The workaround for the user is to delete directly the messages without
moving them to Trash.

We had also some trouble with pop3. A couple of users weren't able to
get new mail (see log below) until we deleted completely their .imap
dir.

Diego.
---
Error: POP3(username): Cached message offset lost for seq 1 in mbox
file /maildir/username
Error: POP3(username): Log synchronization error at seq=1,offset=7824
for /maildir/username/.imap/INBOX/dovecot.index: Broken extension
introduction: Record field alignmentation 8 not used
Error: POP3(username): Log synchronization error at seq=1,offset=7856
for /maildir/username/.imap/INBOX/dovecot.index: Broken extension
introduction: Record field points outside record size (0+16 > 12)
Error: POP3(username): Log synchronization error at seq=1,offset=7928
for /maildir/username/.imap/INBOX/dovecot.index: Broken extension
introduction: Record field alignmentation 8 not used
Error: POP3(username): Log synchronization error at seq=1,offset=8004
for /maildir/username/.imap/INBOX/dovecot.index: Broken extension
introduction: Record field points outside record size (0+16 > 12)
Warning: POP3(username): fscking index file
/maildir/username/.imap/INBOX/dovecot.index
Error: POP3(username): Cached message offset lost for seq 1 in mbox
file /cl/e/spool-mail/username
Error: POP3(username): Log synchronization error at seq=1,offset=8208
for /maildir/username/.imap/INBOX/dovecot.index: Broken extension
introduction: Record field alignmentation 8 not used
Error: POP3(username): Log synchronization error at seq=1,offset=8240
for /maildir/username/.imap/INBOX/dovecot.index: Broken extension
introduction: Record field points outside record size (0+16 > 12)
Error: POP3(username): Log synchronization error at seq=1,offset=8312
for /maildir/username/.imap/INBOX/dovecot.index: Broken extension
introduction: Record field alignmentation 8 not used
Error: POP3(username): Log synchronization error at seq=1,offset=8388
for /maildir/username/.imap/INBOX/dovecot.index: Broken extension
introduction: Record field points outside record size (0+16 > 12)
Warning: POP3(username): fscking index file
/maildir/username/.imap/INBOX/dovecot.index
Error: POP3(username): Sending log messages too fast, throttling..
Error: POP3(username): Couldn't init INBOX: Can't sync mailbox:
Messages keep getting expunged