thr3ads.net - dovecot - [Dovecot] Bug#377840: dovecot: imap segfaults on small mbox files (2 bytes) [Jul 2006]

If this information is useful, please help other people find it:
Share via:

Roland Stigge

2006-Jul-11 15:21 UTC

[Dovecot] Bug#377840: dovecot: imap segfaults on small mbox files (2 bytes)

Package: dovecot
Severity: important
Tags: patch

Hi,

a recent addition in src/lib-storage/index/mbox/istream-raw-mbox.c:

=======================================================================================[...]
                if (pos == 2) {
                        /* we're at the end of file with CR+LF linefeeds?
                           need more data to verify it. */
                        rstream->input_peak_offset                           
stream->istream.v_offset + pos;
                        return _read(stream);
                }
[...]
=======================================================================================
makes my imap process crash, resulting in repeatedly spawned (and killed)
processes in my log file:

=======================================================================================[...]
Jul 11 15:31:04 localhost dovecot: imap-login: Login: user=<ernie>,
method=plain, rip=127.0.0.1, lip=127.0.0.1, secured
Jul 11 15:31:04 localhost dovecot: child 31284 (imap) killed with signal 11
Jul 11 15:31:04 localhost dovecot: child 31287 (imap) killed with signal 11
Jul 11 15:31:04 localhost dovecot: imap-login: Login: user=<ernie>,
method=plain, rip=127.0.0.1, lip=127.0.0.1, secured
Jul 11 15:31:05 localhost dovecot: imap-login: Login: user=<ernie>,
method=plain, rip=127.0.0.1, lip=127.0.0.1, secured
Jul 11 15:31:05 localhost dovecot: child 31293 (imap) killed with signal 11
Jul 11 15:31:05 localhost dovecot: imap-login: Login: user=<ernie>,
method=plain, rip=127.0.0.1, lip=127.0.0.1, secured
Jul 11 15:31:05 localhost dovecot: child 31296 (imap) killed with signal 11
Jul 11 15:31:05 localhost dovecot: child 31299 (imap) killed with signal 11
Jul 11 15:31:05 localhost dovecot: imap-login: Login: user=<ernie>,
method=plain, rip=127.0.0.1, lip=127.0.0.1, secured
Jul 11 15:31:06 localhost dovecot: child 31310 (imap) killed with signal 11
Jul 11 15:31:07 localhost dovecot: imap-login: Login: user=<ernie>,
method=plain, rip=127.0.0.1, lip=127.0.0.1, secured
Jul 11 15:31:07 localhost dovecot: imap-login: Login: user=<ernie>,
method=plain, rip=127.0.0.1, lip=127.0.0.1, secured
Jul 11 15:31:07 localhost dovecot: child 31313 (imap) killed with signal 11
Jul 11 15:31:07 localhost dovecot: child 31316 (imap) killed with signal 11
Jul 11 15:31:07 localhost dovecot: imap-login: Login: user=<ernie>,
method=plain, rip=127.0.0.1, lip=127.0.0.1, secured
[...]
=======================================================================================
This is caused by the infinite recursive loop made by the "return
_read(stream);"

The problem is triggered in my mbox directories because I have .svn/format
files lying around (mail under svn revision control). In this case, the file is
2 bytes long:

=======================================================================================ernie
at dent:~/Mail$ hexdump -C .svn/format
00000000  34 0a                                             |4.|
00000002
=======================================================================================
The attached patch (guarding against eof) is a reasonable workaround.

bye,
  Roland

-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.17-1-686
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) (ignored: LC_ALL
set to en_GB.UTF-8)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: dovecot.patch
Type: text/x-c
Size: 682 bytes
Desc: not available
URL:
<http://dovecot.org/pipermail/dovecot/attachments/20060711/9e53c67b/attachment-0002.bin>

Roland Stigge

2006-Jul-11 15:48 UTC

head link

[Dovecot] dovecot: imap segfaults on small mbox files (2 bytes)

Roland Stigge wrote:> The attached patch (guarding against eof) is a reasonable workaround.
I rather "#if 0"-ed the if-section. Somehow ...eof doesn't
indicate the
real eof...

Timo Sirainen

2006-Aug-10 19:06 UTC

head link

[Dovecot] Bug#377840: dovecot: imap segfaults on small mbox files (2 bytes)

On Tue, 2006-07-11 at 17:21 +0200, Roland Stigge wrote:> This is caused by the infinite recursive loop made by the "return
_read(stream);"
> 
> The problem is triggered in my mbox directories because I have .svn/format
> files lying around (mail under svn revision control). In this case, the
file is 2 bytes long:
Thanks, fixed:

http://dovecot.org/list/dovecot-cvs/2006-August/006233.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 191 bytes
Desc: This is a digitally signed message part
URL:
<http://dovecot.org/pipermail/dovecot/attachments/20060810/4f98b004/attachment.bin>

Maybe Matching Threads

Search for more seemingly similar threads

dovecot - Jul 2006 - Bug#377840: dovecot: imap segfaults on small mbox files (2 bytes)

[Dovecot] Bug#377840: dovecot: imap segfaults on small mbox files (2 bytes)

[Dovecot] dovecot: imap segfaults on small mbox files (2 bytes)

[Dovecot] Bug#377840: dovecot: imap segfaults on small mbox files (2 bytes)

Maybe Matching Threads