[Dovecot] Bug#377840: dovecot: imap segfaults on small mbox files (2 bytes)
Roland Stigge
stigge at antcom.de
Tue Jul 11 18:21:46 EEST 2006
Package: dovecot
Severity: important
Tags: patch
Hi,
a recent addition in src/lib-storage/index/mbox/istream-raw-mbox.c:
========================================================================================
[...]
if (pos == 2) {
/* we're at the end of file with CR+LF linefeeds?
need more data to verify it. */
rstream->input_peak_offset =
stream->istream.v_offset + pos;
return _read(stream);
}
[...]
========================================================================================
makes my imap process crash, resulting in repeatedly spawned (and killed)
processes in my log file:
========================================================================================
[...]
Jul 11 15:31:04 localhost dovecot: imap-login: Login: user=<ernie>, method=plain, rip=127.0.0.1, lip=127.0.0.1, secured
Jul 11 15:31:04 localhost dovecot: child 31284 (imap) killed with signal 11
Jul 11 15:31:04 localhost dovecot: child 31287 (imap) killed with signal 11
Jul 11 15:31:04 localhost dovecot: imap-login: Login: user=<ernie>, method=plain, rip=127.0.0.1, lip=127.0.0.1, secured
Jul 11 15:31:05 localhost dovecot: imap-login: Login: user=<ernie>, method=plain, rip=127.0.0.1, lip=127.0.0.1, secured
Jul 11 15:31:05 localhost dovecot: child 31293 (imap) killed with signal 11
Jul 11 15:31:05 localhost dovecot: imap-login: Login: user=<ernie>, method=plain, rip=127.0.0.1, lip=127.0.0.1, secured
Jul 11 15:31:05 localhost dovecot: child 31296 (imap) killed with signal 11
Jul 11 15:31:05 localhost dovecot: child 31299 (imap) killed with signal 11
Jul 11 15:31:05 localhost dovecot: imap-login: Login: user=<ernie>, method=plain, rip=127.0.0.1, lip=127.0.0.1, secured
Jul 11 15:31:06 localhost dovecot: child 31310 (imap) killed with signal 11
Jul 11 15:31:07 localhost dovecot: imap-login: Login: user=<ernie>, method=plain, rip=127.0.0.1, lip=127.0.0.1, secured
Jul 11 15:31:07 localhost dovecot: imap-login: Login: user=<ernie>, method=plain, rip=127.0.0.1, lip=127.0.0.1, secured
Jul 11 15:31:07 localhost dovecot: child 31313 (imap) killed with signal 11
Jul 11 15:31:07 localhost dovecot: child 31316 (imap) killed with signal 11
Jul 11 15:31:07 localhost dovecot: imap-login: Login: user=<ernie>, method=plain, rip=127.0.0.1, lip=127.0.0.1, secured
[...]
========================================================================================
This is caused by the infinite recursive loop made by the "return _read(stream);"
The problem is triggered in my mbox directories because I have .svn/format
files lying around (mail under svn revision control). In this case, the file is 2 bytes long:
========================================================================================
ernie at dent:~/Mail$ hexdump -C .svn/format
00000000 34 0a |4.|
00000002
========================================================================================
The attached patch (guarding against eof) is a reasonable workaround.
bye,
Roland
-- System Information:
Debian Release: testing/unstable
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.17-1-686
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_GB.UTF-8)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: dovecot.patch
Type: text/x-c
Size: 682 bytes
Desc: not available
Url : http://dovecot.org/pipermail/dovecot/attachments/20060711/9e53c67b/attachment.bin
More information about the dovecot
mailing list