[Dovecot] Bug#377840: dovecot: imap segfaults on small mbox files (2 bytes)

Roland Stigge stigge at antcom.de
Tue Jul 11 18:21:46 EEST 2006 

Package: dovecot
Severity: important
Tags: patch

Hi,

a recent addition in src/lib-storage/index/mbox/istream-raw-mbox.c:

========================================================================================
[...]
                if (pos == 2) {
                        /* we're at the end of file with CR+LF linefeeds?
                           need more data to verify it. */
                        rstream->input_peak_offset =
                                stream->istream.v_offset + pos;
                        return _read(stream);
                }
[...]
========================================================================================

makes my imap process crash, resulting in repeatedly spawned (and killed)
processes in my log file:

========================================================================================
[...]
Jul 11 15:31:04 localhost dovecot: imap-login: Login: user=<ernie>, method=plain, rip=127.0.0.1, lip=127.0.0.1, secured
Jul 11 15:31:04 localhost dovecot: child 31284 (imap) killed with signal 11
Jul 11 15:31:04 localhost dovecot: child 31287 (imap) killed with signal 11
Jul 11 15:31:04 localhost dovecot: imap-login: Login: user=<ernie>, method=plain, rip=127.0.0.1, lip=127.0.0.1, secured
Jul 11 15:31:05 localhost dovecot: imap-login: Login: user=<ernie>, method=plain, rip=127.0.0.1, lip=127.0.0.1, secured
Jul 11 15:31:05 localhost dovecot: child 31293 (imap) killed with signal 11
Jul 11 15:31:05 localhost dovecot: imap-login: Login: user=<ernie>, method=plain, rip=127.0.0.1, lip=127.0.0.1, secured
Jul 11 15:31:05 localhost dovecot: child 31296 (imap) killed with signal 11
Jul 11 15:31:05 localhost dovecot: child 31299 (imap) killed with signal 11
Jul 11 15:31:05 localhost dovecot: imap-login: Login: user=<ernie>, method=plain, rip=127.0.0.1, lip=127.0.0.1, secured
Jul 11 15:31:06 localhost dovecot: child 31310 (imap) killed with signal 11
Jul 11 15:31:07 localhost dovecot: imap-login: Login: user=<ernie>, method=plain, rip=127.0.0.1, lip=127.0.0.1, secured
Jul 11 15:31:07 localhost dovecot: imap-login: Login: user=<ernie>, method=plain, rip=127.0.0.1, lip=127.0.0.1, secured
Jul 11 15:31:07 localhost dovecot: child 31313 (imap) killed with signal 11
Jul 11 15:31:07 localhost dovecot: child 31316 (imap) killed with signal 11
Jul 11 15:31:07 localhost dovecot: imap-login: Login: user=<ernie>, method=plain, rip=127.0.0.1, lip=127.0.0.1, secured
[...]
========================================================================================

This is caused by the infinite recursive loop made by the "return _read(stream);"

The problem is triggered in my mbox directories because I have .svn/format
files lying around (mail under svn revision control). In this case, the file is 2 bytes long:

========================================================================================
ernie at dent:~/Mail$ hexdump -C .svn/format
00000000  34 0a                                             |4.|
00000002
========================================================================================

The attached patch (guarding against eof) is a reasonable workaround.

bye,
  Roland

-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.17-1-686
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_GB.UTF-8)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: dovecot.patch
Type: text/x-c
Size: 682 bytes
Desc: not available
Url : http://dovecot.org/pipermail/dovecot/attachments/20060711/9e53c67b/attachment.bin

More information about the dovecot mailing list