[Dovecot] Dovecot 2.0beta3: Latest HG crashed upon LMTP Delivery

[Bernhard Schmidt]

Bernhard Schmidt <berni at birkenwald.de> wrote:

>> Simple LMTP handshake crashes it:
> Same here. I'm pretty sure it has been introduced with one of these two
> changes:

Affects dovecot-lda as well:

mail.svr02.mucip.net:/var/run/dovecot# sudo -u vmail gdb
/usr/lib/dovecot/dovecot-lda 
GNU gdb (GDB) 7.0.1-debian
Copyright (C) 2009 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later
<http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show
copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /usr/lib/dovecot/dovecot-lda...Reading symbols from
/usr/lib/debug/usr/lib/dovecot/dovecot-lda...done.
(no debugging symbols found)...done.
(gdb) set args -d berni
(gdb) run
Starting program: /usr/lib/dovecot/dovecot-lda -d berni
[Thread debugging using libthread_db enabled]
Executing new program: /usr/bin/doveconf
[Thread debugging using libthread_db enabled]
Executing new program: /usr/lib/dovecot/dovecot-lda
[Thread debugging using libthread_db enabled]
asjk

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff78d21c0 in message_parse_header_next (ctx=0x6427b0,
hdr_r=<value optimized out>)
    at message-header-parser.c:196
196	message-header-parser.c: Datei oder Verzeichnis nicht gefunden.
	in message-header-parser.c
(gdb) bt full
#0  0x00007ffff78d21c0 in message_parse_header_next (ctx=0x6427b0,
hdr_r=<value optimized out>)
    at message-header-parser.c:196
        msg = 0x64c3d9 ""
        i = 23591
        size = 18446744073709464054
        startpos = 0
        colon_pos = 520
        parse_size = 18446744073709464053
        ret = <value optimized out>
        continues = <value optimized out>
        no_newline = <value optimized out>
        crlf_newline = <value optimized out>
        __PRETTY_FUNCTION__ = "message_parse_header_next"
#1  0x00007ffff78d3a97 in parse_next_header (ctx=0x64c588,
block_r=0x7fffffffcca0) at message-parser.c:480
        part = 0x646f10
        hdr = <value optimized out>
        size = <value optimized out>
        ret = <value optimized out>
        __PRETTY_FUNCTION__ = "parse_next_header"
#2  0x00007ffff78d3149 in message_parser_parse_next_block (ctx=0x64c588,
block_r=0x7fffffffcca0)
    at message-parser.c:768
        ret = 23591
        eof = false
        full = false
        __PRETTY_FUNCTION__ = "message_parser_parse_next_block"
#3  0x00007ffff78d334b in message_parser_parse_header (ctx=0x64c588,
hdr_size=0x646860, 
    callback=0x7ffff7b83a90 <index_mail_parse_part_header_cb>,
context=0x646648) at message-parser.c:807
        block = {part = 0x646f10, hdr = 0x6427b0, data = 0x7ffff7b83a90
"\351\063\341\373\377ff.\017\037\204", 
          size = 0}
        ret = <value optimized out>
        __PRETTY_FUNCTION__ = "message_parser_parse_header"

I'm now on +27 (10867:c56358283605), still crashing.

Bernhard