Michal Soltys
2017-Jan-10 19:58 UTC
[PATCH] mail-storage.c: check against NULL address in strcmp() invocation
Configurations with multiple shared namespaces can trigger a bug where the first argument of strcmp() invocation is NULL. This patch adds an explicit check, analogously to how the second argument is sanitized. --- src/lib-storage/mail-storage.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/lib-storage/mail-storage.c b/src/lib-storage/mail-storage.c index 1d9b1bf..3d9f5dc 100644 --- a/src/lib-storage/mail-storage.c +++ b/src/lib-storage/mail-storage.c @@ -282,7 +282,7 @@ mail_storage_match_class(struct mail_storage *storage, return FALSE; if ((storage->class_flags & MAIL_STORAGE_CLASS_FLAG_UNIQUE_ROOT) != 0 && - strcmp(storage->unique_root_dir, + strcmp((storage->unique_root_dir != NULL ? storage->unique_root_dir : ""), (set->root_dir != NULL ? set->root_dir : "")) != 0) return FALSE; -- 2.1.3
Timo Sirainen
2017-Jan-10 20:31 UTC
[PATCH] mail-storage.c: check against NULL address in strcmp() invocation
On 10 Jan 2017, at 21.58, Michal Soltys <soltys at ziu.info> wrote:> > Configurations with multiple shared namespaces can trigger a bug > where the first argument of strcmp() invocation is NULL. > > This patch adds an explicit check, analogously to how the second > argument is sanitized.I think it shouldn't be NULL though.. I'd rather add some asserts and figure out why it is. I guess the attached patch assert-crashes? What's the backtrace there? -------------- next part -------------- A non-text attachment was scrubbed... Name: diff Type: application/octet-stream Size: 563 bytes Desc: not available URL: <http://dovecot.org/pipermail/dovecot/attachments/20170110/28a53c93/attachment-0001.obj> -------------- next part --------------
Michal Soltys
2017-Jan-11 11:28 UTC
[PATCH] mail-storage.c: check against NULL address in strcmp() invocation
On 01/10/2017 09:31 PM, Timo Sirainen wrote:> On 10 Jan 2017, at 21.58, Michal Soltys <soltys at ziu.info> wrote: >> >> Configurations with multiple shared namespaces can trigger a bug >> where the first argument of strcmp() invocation is NULL. >> >> This patch adds an explicit check, analogously to how the second >> argument is sanitized. > > I think it shouldn't be NULL though.. I'd rather add some asserts and figure out why it is. I guess the attached patch assert-crashes? What's the backtrace there? >Yea, assert triggers instantly once I try to read any folder. bt full below #2 0x00007f1b92c53727 in default_fatal_finish (type=LOG_TYPE_PANIC, status=0) at failures.c:201 backtrace = 0x971fb0 "/usr/lib/dovecot/libdovecot.so.0(+0xc36d8) [0x7f1b92c536d8] -> /usr/lib/dovecot/libdovecot.so.0(+0xc4c06) [0x7f1b92c54c06] -> /usr/lib/dovecot/libdovecot.so.0(i_fatal+0) [0x7f1b92c53a5b] -> /usr/lib/d"... #3 0x00007f1b92c54c06 in i_internal_fatal_handler (ctx=0x7ffdee3f6fe0, format=0x7f1b93043e68 "file %s: line %d (%s): assertion failed: (%s)", args=0x7ffdee3f7000) at failures.c:670 status = 0 #4 0x00007f1b92c53a5b in i_panic (format=0x7f1b93043e68 "file %s: line %d (%s): assertion failed: (%s)") at failures.c:275 ctx = {type = LOG_TYPE_PANIC, exit_status = 0, timestamp = 0x0, timestamp_usecs = 0} args = <error reading variable args (Attempt to dereference a generic pointer.)> #5 0x00007f1b92f4921e in mail_storage_create_full (ns=0x9927e0, driver=0x7f1b93042516 "shared", data=0x98f438 "mdbox:%h", flags=(unknown: 0), storage_r=0x7ffdee3f71d0, error_r=0x7ffdee3f7230) at mail-storage.c:407 storage_class = 0x7f1b932995c0 <shared_storage> storage = 0x995800 list = 0x994ff0 list_set = {layout = 0x7f1b9304841d "shared", root_dir = 0x98ebc8 "/var/run/dovecot", index_dir = 0x0, index_pvt_dir = 0x0, control_dir = 0x0, alt_dir = 0x0, inbox_path = 0x0, subscription_fname = 0x0, maildir_name = 0x7f1b93044073 "", mailbox_dir_name = 0x7f1b93044073 "", escape_char = 0 '\000', broken_char = 0 '\000', utf8 = false, alt_dir_nocheck = false, index_control_use_maildir_name = false} list_flags = (unknown: 0) p = 0x0 __FUNCTION__ = "mail_storage_create_full" #6 0x00007f1b92f4931d in mail_storage_create (ns=0x9927e0, driver=0x7f1b93042516 "shared", flags=(unknown: 0), error_r=0x7ffdee3f7230) at mail-storage.c:420 storage = 0x9921e0 #7 0x00007f1b92f3ecdc in mail_namespaces_init_add (user=0x98e0b0, ns_set=0x98ed70, unexpanded_ns_set=0x98e5e8, ns_p=0x992080, error_r=0x7ffdee3f7378) at mail-namespace.c:195 mail_set = 0x98e9d8 ns = 0x9927e0 driver = 0x7f1b93042516 "shared" error = 0x0 ret = 0 #8 0x00007f1b92f3f694 in mail_namespaces_init (user=0x98e0b0, error_r=0x7ffdee3f7378) at mail-namespace.c:414 mail_set = 0x98e9d8 ns_set = 0x98ecc0 unexpanded_ns_set = 0x98e538 namespaces = 0x992080 ns_p = 0x992080 i = 1 count = 3 count2 = 3 __FUNCTION__ = "mail_namespaces_init" #9 0x00007f1b92f52528 in mail_storage_service_init_post (ctx=0x97b7d0, user=0x980040, priv=0x7ffdee3f7380, mail_user_r=0x7ffdee3f7498, error_r=0x7ffdee3f7378) at mail-storage-service.c:728 mail_set = 0x98e9d8 home = 0x980be9 "/var/mail1/msl" mail_user = 0x98e0b0 #10 0x00007f1b92f542c1 in mail_storage_service_next_real (ctx=0x97b7d0, user=0x980040, mail_user_r=0x7ffdee3f7498) at mail-storage-service.c:1426 priv = {uid = 105, gid = 8, uid_source = 0x7f1b930454cc "userdb lookup", gid_source = 0x7f1b930454cc "userdb lookup", home = 0x980be9 "/var/mail1/msl", chroot = 0x971838 ""} error = 0x0 len = 0 disallow_root = true temp_priv_drop = false use_chroot = true #11 0x00007f1b92f5437c in mail_storage_service_next (ctx=0x97b7d0, user=0x980040, mail_user_r=0x7ffdee3f7498) at mail-storage-service.c:1444 old_log_prefix = 0x97fe50 "imap(msl): " ret = 0 #12 0x00007f1b92f544f5 in mail_storage_service_lookup_next (ctx=0x97b7d0, input=0x7ffdee3f7520, user_r=0x7ffdee3f7490, mail_user_r=0x7ffdee3f7498, error_r=0x7ffdee3f7518) at mail-storage-service.c:1477 user = 0x980040 ret = 1 #13 0x00000000004314f0 in client_create_from_input (input=0x7ffdee3f7520, fd_in=7, fd_out=7, client_r=0x7ffdee3f7510, error_r=0x7ffdee3f7518) at main.c:228 user = 0x7ffdee3f74d0 mail_user = 0x7ffdee3f7510 ns = 0x7f1b92c9dfb3 client = 0x979370 imap_set = 0xc00000000 lda_set = 0x971100 errstr = 0x7f1b92efeac0 <static_system_pool> "\200\352\357\222\033\177" mail_error = 32539 #14 0x0000000000431968 in login_client_connected (login_client=0x97da20, username=0x971043 "msl", extra_fields=0x9710d0) at main.c:316 input = {module = 0x43db49 "imap", service = 0x43db49 "imap", username = 0x971043 "msl", session_id = 0x97daa0 "PARRLs5FeMjAqAD+", session_id_prefix = 0x0, session_create_time = 0, local_ip = {family = 2, u = {ip6 = {__in6_u = { __u6_addr8 = "\300\250\000\374", '\000' <repeats 11 times>, __u6_addr16 = {43200, 64512, 0, 0, 0, 0, 0, 0}, __u6_addr32 = { 4227901632, 0, 0, 0}}}, ip4 = {s_addr = 4227901632}}}, remote_ip = {family = 2, u = {ip6 = {__in6_u = { __u6_addr8 = "\300\250\000\376", '\000' <repeats 11 times>, __u6_addr16 = {43200, 65024, 0, 0, 0, 0, 0, 0}, __u6_addr32 = { 4261456064, 0, 0, 0}}}, ip4 = {s_addr = 4261456064}}}, local_port = 0, remote_port = 0, userdb_fields = 0x9710d0, flags_override_add = (unknown: 0), flags_override_remove = (unknown: 0), no_userdb_lookup = 0, debug = 0} client = 0x3000000018 flags = (MAIL_AUTH_REQUEST_FLAG_TLS_COMPRESSION | unknown: 32538) error = 0x7ffdee3f75f0 "0?" __FUNCTION__ = "login_client_connected" #15 0x00007f1b92bc31c1 in master_login_auth_finish (client=0x97da20, auth_args=0x9710c8) at master-login.c:210 login = 0x97cd30 service = 0x9795e0 close_sockets = true __FUNCTION__ = "master_login_auth_finish" #16 0x00007f1b92bc3aca in master_login_auth_callback (auth_args=0x9710c8, errormsg=0x0, context=0x97da20) at master-login.c:379 client = 0x97da20 conn = 0x97d820 reply = {tag = 1, status = MASTER_AUTH_STATUS_OK, mail_pid = 20189} #17 0x00007f1b92bc4ae9 in master_login_auth_input_user (auth=0x97cdb0, args=0x97de5c "4291297281\tmsl\tuid=105\tgid=8\tmail=maildir:/var/mail1/msl\thome=/var/mail1/msl\tauth_token=18dd1092f041e803835776fae22759a100511eb8") at master-login-auth.c:244 request = 0x97cc30 list = 0x9710c0 id = 4291297281 #18 0x00007f1b92bc4fb1 in master_login_auth_input (auth=0x97cdb0) at master-login-auth.c:364 line = 0x97de57 "USER\t4291297281\tmsl\tuid=105\tgid=8\tmail=maildir:/var/mail1/msl\thome=/var/mail1/msl\tauth_token=18dd1092f041e803835776fae22759a100511eb8" ret = false #19 0x00007f1b92c72545 in io_loop_call_io (io=0x97ccb0) at ioloop.c:599 ioloop = 0x979740 t_id = 2 __FUNCTION__ = "io_loop_call_io" #20 0x00007f1b92c74e68 in io_loop_handler_run_internal (ioloop=0x979740) at ioloop-epoll.c:222 ctx = 0x97b260 events = 0x97c0d0 event = 0x97c0d0 list = 0x97cd10 io = 0x97ccb0 tv = {tv_sec = 154, tv_usec = 999457} events_count = 5 msecs = 155000 ret = 1 i = 0 j = 0 call = true __FUNCTION__ = "io_loop_handler_run_internal" #21 0x00007f1b92c72726 in io_loop_handler_run (ioloop=0x979740) at ioloop.c:648 No locals. #22 0x00007f1b92c72649 in io_loop_run (ioloop=0x979740) at ioloop.c:623 __FUNCTION__ = "io_loop_run" #23 0x00007f1b92bc6e3b in master_service_run (service=0x9795e0, callback=0x431b68 <client_connected>) at master-service.c:641 No locals. #24 0x0000000000431efb in main (argc=1, argv=0x979390) at main.c:460 set_roots = {0x43ca60 <imap_setting_parser_info>, 0x648340 <lda_setting_parser_info>, 0x0} login_set = {auth_socket_path = 0x971048 "id=105", postlogin_socket_path = 0x0, postlogin_timeout_secs = 60, callback = 0x431883 <login_client_connected>, failure_callback = 0x431ad3 <login_client_failed>, request_auth_token = 1} service_flags = MASTER_SERVICE_FLAG_KEEP_CONFIG_OPEN storage_service_flags = (MAIL_STORAGE_SERVICE_FLAG_DISALLOW_ROOT | MAIL_STORAGE_SERVICE_FLAG_AUTOEXPUNGE) username = 0x0 auth_socket_path = 0x43dc63 "auth-master" c = -1