Roland Stigge
2006-Jul-11 15:21 UTC
[Dovecot] Bug#377840: dovecot: imap segfaults on small mbox files (2 bytes)
Package: dovecot Severity: important Tags: patch Hi, a recent addition in src/lib-storage/index/mbox/istream-raw-mbox.c: =======================================================================================[...] if (pos == 2) { /* we're at the end of file with CR+LF linefeeds? need more data to verify it. */ rstream->input_peak_offset stream->istream.v_offset + pos; return _read(stream); } [...] ======================================================================================= makes my imap process crash, resulting in repeatedly spawned (and killed) processes in my log file: =======================================================================================[...] Jul 11 15:31:04 localhost dovecot: imap-login: Login: user=<ernie>, method=plain, rip=127.0.0.1, lip=127.0.0.1, secured Jul 11 15:31:04 localhost dovecot: child 31284 (imap) killed with signal 11 Jul 11 15:31:04 localhost dovecot: child 31287 (imap) killed with signal 11 Jul 11 15:31:04 localhost dovecot: imap-login: Login: user=<ernie>, method=plain, rip=127.0.0.1, lip=127.0.0.1, secured Jul 11 15:31:05 localhost dovecot: imap-login: Login: user=<ernie>, method=plain, rip=127.0.0.1, lip=127.0.0.1, secured Jul 11 15:31:05 localhost dovecot: child 31293 (imap) killed with signal 11 Jul 11 15:31:05 localhost dovecot: imap-login: Login: user=<ernie>, method=plain, rip=127.0.0.1, lip=127.0.0.1, secured Jul 11 15:31:05 localhost dovecot: child 31296 (imap) killed with signal 11 Jul 11 15:31:05 localhost dovecot: child 31299 (imap) killed with signal 11 Jul 11 15:31:05 localhost dovecot: imap-login: Login: user=<ernie>, method=plain, rip=127.0.0.1, lip=127.0.0.1, secured Jul 11 15:31:06 localhost dovecot: child 31310 (imap) killed with signal 11 Jul 11 15:31:07 localhost dovecot: imap-login: Login: user=<ernie>, method=plain, rip=127.0.0.1, lip=127.0.0.1, secured Jul 11 15:31:07 localhost dovecot: imap-login: Login: user=<ernie>, method=plain, rip=127.0.0.1, lip=127.0.0.1, secured Jul 11 15:31:07 localhost dovecot: child 31313 (imap) killed with signal 11 Jul 11 15:31:07 localhost dovecot: child 31316 (imap) killed with signal 11 Jul 11 15:31:07 localhost dovecot: imap-login: Login: user=<ernie>, method=plain, rip=127.0.0.1, lip=127.0.0.1, secured [...] ======================================================================================= This is caused by the infinite recursive loop made by the "return _read(stream);" The problem is triggered in my mbox directories because I have .svn/format files lying around (mail under svn revision control). In this case, the file is 2 bytes long: =======================================================================================ernie at dent:~/Mail$ hexdump -C .svn/format 00000000 34 0a |4.| 00000002 ======================================================================================= The attached patch (guarding against eof) is a reasonable workaround. bye, Roland -- System Information: Debian Release: testing/unstable APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.17-1-686 Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_GB.UTF-8) -------------- next part -------------- A non-text attachment was scrubbed... Name: dovecot.patch Type: text/x-c Size: 682 bytes Desc: not available URL: <http://dovecot.org/pipermail/dovecot/attachments/20060711/9e53c67b/attachment-0002.bin>
Roland Stigge
2006-Jul-11 15:48 UTC
[Dovecot] dovecot: imap segfaults on small mbox files (2 bytes)
Roland Stigge wrote:> The attached patch (guarding against eof) is a reasonable workaround.I rather "#if 0"-ed the if-section. Somehow ...eof doesn't indicate the real eof...
Timo Sirainen
2006-Aug-10 19:06 UTC
[Dovecot] Bug#377840: dovecot: imap segfaults on small mbox files (2 bytes)
On Tue, 2006-07-11 at 17:21 +0200, Roland Stigge wrote:> This is caused by the infinite recursive loop made by the "return _read(stream);" > > The problem is triggered in my mbox directories because I have .svn/format > files lying around (mail under svn revision control). In this case, the file is 2 bytes long:Thanks, fixed: http://dovecot.org/list/dovecot-cvs/2006-August/006233.html -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 191 bytes Desc: This is a digitally signed message part URL: <http://dovecot.org/pipermail/dovecot/attachments/20060810/4f98b004/attachment.bin>