Hi, Apparently the "kick" doveadm_cmd_ver2 struct lacks a .mail_cmd member pointing to an appropriate allocation function, causing a NULL pointer dereference when used via `doveadm batch`. (gdb) bt #0 0x0000000000000000 in ?? () #1 0x0000555555585882 in doveadm_mail_cmd_init (cmd=cmd at entry=0x7fffffffe680, set=0x5555555f2440) at doveadm-mail.c:596 #2 0x0000555555586f68 in cmd_batch_add (argv=<optimized out>, argc=<optimized out>, batchctx=0x555555606538) at doveadm-mail-batch.c:78 #3 cmd_batch_preinit () at doveadm-mail-batch.c:126 #4 0x00005555555854ce in doveadm_mail_cmd_exec () at doveadm-mail.c:632 #5 0x0000555555585e66 in doveadm_mail_cmd (argv=<optimized out>, argc=4, cmd=0x555555602a00) at doveadm-mail.c:748 #6 doveadm_mail_try_run () at doveadm-mail.c:821 #7 0x0000555555575e7f in main () at doveadm.c:404 #8 0x00007ffff74acb17 in __libc_start_main (main=0x555555575990 <main>, argc=5, argv=0x7fffffffea18, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffea08) at ../csu/libc-start.c:310 #9 0x0000555555575fca in _start () at doveadm-mail.c:1127 (gdb) p *cmd $5 = {alloc = 0x0, name = 0x5555555bdd0c "kick", usage_args = 0x5555555be738 "[-a <anvil socket path>] <user mask>[|]<ip/bits>"} (This is Debian bug #915411[1]) Regards, Apollon [1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=915411
On 21:33 Fri 07 Dec , Apollon Oikonomopoulos wrote:> Hi, > > Apparently the "kick" doveadm_cmd_ver2 struct lacks a .mail_cmd member > pointing to an appropriate allocation function, causing a NULL pointer > dereference when used via `doveadm batch`. > > (gdb) bt > #0 0x0000000000000000 in ?? () > #1 0x0000555555585882 in doveadm_mail_cmd_init (cmd=cmd at entry=0x7fffffffe680, set=0x5555555f2440) at doveadm-mail.c:596 > #2 0x0000555555586f68 in cmd_batch_add (argv=<optimized out>, argc=<optimized out>, batchctx=0x555555606538) at doveadm-mail-batch.c:78 > #3 cmd_batch_preinit () at doveadm-mail-batch.c:126 > #4 0x00005555555854ce in doveadm_mail_cmd_exec () at doveadm-mail.c:632 > #5 0x0000555555585e66 in doveadm_mail_cmd (argv=<optimized out>, argc=4, cmd=0x555555602a00) at doveadm-mail.c:748 > #6 doveadm_mail_try_run () at doveadm-mail.c:821 > #7 0x0000555555575e7f in main () at doveadm.c:404 > #8 0x00007ffff74acb17 in __libc_start_main (main=0x555555575990 <main>, argc=5, argv=0x7fffffffea18, init=<optimized out>, fini=<optimized out>, > rtld_fini=<optimized out>, stack_end=0x7fffffffea08) at ../csu/libc-start.c:310 > #9 0x0000555555575fca in _start () at doveadm-mail.c:1127 > > (gdb) p *cmd > $5 = {alloc = 0x0, name = 0x5555555bdd0c "kick", usage_args = 0x5555555be738 "[-a <anvil socket path>] <user mask>[|]<ip/bits>"} >Forgot to add, this seems to affect both, 2.2 and 2.3 series.
> On 07 December 2018 at 21:34 Apollon Oikonomopoulos <apoikos at debian.org> wrote: > > > On 21:33 Fri 07 Dec , Apollon Oikonomopoulos wrote: > > Hi, > > > > Apparently the "kick" doveadm_cmd_ver2 struct lacks a .mail_cmd member > > pointing to an appropriate allocation function, causing a NULL pointer > > dereference when used via `doveadm batch`. > > > > (gdb) bt > > #0 0x0000000000000000 in ?? () > > #1 0x0000555555585882 in doveadm_mail_cmd_init (cmd=cmd at entry=0x7fffffffe680, set=0x5555555f2440) at doveadm-mail.c:596 > > #2 0x0000555555586f68 in cmd_batch_add (argv=<optimized out>, argc=<optimized out>, batchctx=0x555555606538) at doveadm-mail-batch.c:78 > > #3 cmd_batch_preinit () at doveadm-mail-batch.c:126 > > #4 0x00005555555854ce in doveadm_mail_cmd_exec () at doveadm-mail.c:632 > > #5 0x0000555555585e66 in doveadm_mail_cmd (argv=<optimized out>, argc=4, cmd=0x555555602a00) at doveadm-mail.c:748 > > #6 doveadm_mail_try_run () at doveadm-mail.c:821 > > #7 0x0000555555575e7f in main () at doveadm.c:404 > > #8 0x00007ffff74acb17 in __libc_start_main (main=0x555555575990 <main>, argc=5, argv=0x7fffffffea18, init=<optimized out>, fini=<optimized out>, > > rtld_fini=<optimized out>, stack_end=0x7fffffffea08) at ../csu/libc-start.c:310 > > #9 0x0000555555575fca in _start () at doveadm-mail.c:1127 > > > > (gdb) p *cmd > > $5 = {alloc = 0x0, name = 0x5555555bdd0c "kick", usage_args = 0x5555555be738 "[-a <anvil socket path>] <user mask>[|]<ip/bits>"} > > > > Forgot to add, this seems to affect both, 2.2 and 2.3 series.Hi! Thank you for reporting this bug, we'll look into it. Aki