Dovecot-2.2.1's imap processes crash reliably when they use an IMAP URL with an invalid access specifier. A backtrace and some debug output follows. The crash is likely caused by imap_urlauth_fetch_parsed() returning 0 without having set *mpurl_r to NULL, and then imap_urlauth_fetch_local() freeing an uninitialized pointer. Exception Type: EXC_BAD_ACCESS (SIGSEGV) Exception Codes: KERN_INVALID_ADDRESS at 0x0000000000001059 0 libdovecot-storage.0.dylib 0x000000010b06a383 imap_msgpart_url_free + 17 1 imap 0x000000010afc71cc imap_urlauth_fetch_local + 770 2 imap 0x000000010afc6dcf imap_urlauth_fetch_url + 439 3 imap 0x000000010afbb489 cmd_urlfetch + 580 4 imap 0x000000010afbdf4d command_exec + 55 5 imap 0x000000010afbdabb client_command_input + 34 6 imap 0x000000010afbdc7c client_command_input + 483 7 imap 0x000000010afbd351 client_handle_input + 239 8 imap 0x000000010afbc613 client_input + 119 9 libdovecot.0.dylib 0x000000010b111c74 io_loop_call_io + 46 10 libdovecot.0.dylib 0x000000010b112c85 io_loop_handler_run + 214 11 libdovecot.0.dylib 0x000000010b111e1f io_loop_run + 77 12 libdovecot.0.dylib 0x000000010b0d10c6 master_service_run + 24 13 imap 0x000000010afc5aba main + 1010 14 libdyld.dylib 0x00007fff89e5f7bd start + 1 Apr 29 20:00:31 imap(pid 82429 user mja): Debug: Fetching local URLAUTH imap://mja at duck.example.com/INBOX;uidvalidity=1366726248/;uid=19;urlauth=submit+mja:internal:012c9c6a3d74db6509e4a3802a0f5edf64546608b8 Apr 29 20:00:31 imap(pid 82429 user mja): Debug: Failed to fetch URLAUTH "imap://mja at duck.example.com/INBOX;uidvalidity=1366726248/;uid=19;urlauth=submit+mja:internal:012c9c6a3d74db6509e4a3802a0f5edf64546608b8": No 'submit+mja' access allowed for user mja Apr 29 20:00:31 imap(pid 82429 user mja): Fatal: master: service(imap): child 82429 killed with signal 11 (core dumps disabled)
On 30.4.2013, at 4.07, Mike Abbott <michael.abbott at apple.com> wrote:> Dovecot-2.2.1's imap processes crash reliably when they use an IMAP URL with an invalid access specifier. A backtrace and some debug output follows. The crash is likely caused by imap_urlauth_fetch_parsed() returning 0 without having set *mpurl_r to NULL, and then imap_urlauth_fetch_local() freeing an uninitialized pointer.Right, fixed: http://hg.dovecot.org/dovecot-2.2/rev/24aa10efe132 I also noticed another crash: http://hg.dovecot.org/dovecot-2.2/rev/2a3134b0c25d