[Dovecot] imap segfaults on UID SEARCH NOT <NON-EXISTENT-ID>

SATOH Fumiyasu fumiyas at osstech.jp
Thu Jul 28 17:30:47 EEST 2011


Hi,

Dovecot 2.0.13 imap process segfaults in the following scenario
on Debian GNU/Linux unstable (amd64) and Solaris 10 (amd64):

$ telnet localhost imap
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS AUTH=PLAIN] Dovecot ready.
1 login username password
1 OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS MULTIAPPEND UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS] Logged in
2 select INBOX
* FLAGS (\Answered \Flagged \Deleted \Seen \Draft)
* OK [PERMANENTFLAGS (\Answered \Flagged \Deleted \Seen \Draft \*)] Flags permitted.
* 3 EXISTS
* 0 RECENT
* OK [UNSEEN 1] First unseen.
* OK [UIDVALIDITY 1311811715] UIDs valid
* OK [UIDNEXT 4] Predicted next UID
* OK [HIGHESTMODSEQ 1] Highest
2 OK [READ-WRITE] Select completed.
3 uid search all
* SEARCH 1 2 3
3 OK Search completed (0.000 secs).
4 uid search not 2
* SEARCH 1 3
4 OK Search completed (0.000 secs).
5 uid search not 99
Connection closed by foreign host.
zsh: exit 1     telnet localhost imap

gdb backtrace is the following:

#0  search_msgset_fix (messages_count=3, seqset=<value optimized out>, seq1_r=0x9340f8,
    seq2_r=0x9340fc, not=true) at index-search.c:774
        range = 0x9328a0
        count = <value optimized out>
        min_seq = 1
        max_seq = <value optimized out>
#1  0x00007f675a215663 in search_msgset_fix (messages_count=3, args=0x9327d8,
    seq1_r=0x9340f8, seq2_r=0x9340fc) at index-search.c:763
No locals.
#2  search_parse_msgset_args (messages_count=3, args=0x9327d8, seq1_r=0x9340f8,
    seq2_r=0x9340fc) at index-search.c:857
        __FUNCTION__ = "search_parse_msgset_args"
#3  0x00007f675a215b4a in search_get_seqset (t=<value optimized out>, args=0x932710,
    sort_program=<value optimized out>) at index-search.c:953
No locals.
#4  index_storage_search_init (t=<value optimized out>, args=0x932710,
    sort_program=<value optimized out>) at index-search.c:1097
        ctx = 0x934090
        status = {
          messages = 3,
          recent = 0,
          unseen = 3,
          uidvalidity = 1311811715,
          uidnext = 4,
          first_unseen_seq = 0,
          first_recent_uid = 4,
          highest_modseq = 0,
          virtual_size = 0,
          keywords = 0x0,
          cache_fields = 0x0,
          nonpermanent_modseqs = 0
        }
#5  0x00000000004166e5 in imap_search_start (ctx=0x926008, sargs=0x932710,
    sort_program=0x0) at imap-search.c:540
        cmd = 0x925f00
        wanted_fields = 0
        wanted_headers = 0x0
#6  0x000000000040d726 in cmd_search (cmd=0x925f00) at cmd-search.c:45
        ctx = 0x926008
        sargs = 0x932710
        args = 0x928758
        charset = 0x419b95 "UTF-8"
        ret = <value optimized out>
#7  0x000000000041079d in client_command_input (cmd=0x925f00) at imap-client.c:672
        client = 0x9257e0
        command = <value optimized out>
        __FUNCTION__ = "client_command_input"
#8  0x0000000000410875 in client_command_input (cmd=0x925f00) at imap-client.c:722
        client = 0x9257e0
        command = <value optimized out>
        __FUNCTION__ = "client_command_input"
#9  0x0000000000410ab5 in client_handle_next_command (client=0x9257e0) at imap-client.c:763
        size = 21
#10 client_handle_input (client=0x9257e0) at imap-client.c:775
        _data_stack_cur_id = 3
        ret = 176
        remove_io = false
        handled_commands = false
        __FUNCTION__ = "client_handle_input"
#11 0x0000000000411322 in client_input (client=0x9257e0) at imap-client.c:814
        cmd = <value optimized out>
        output = 0x925dc8
        bytes = 21
        __FUNCTION__ = "client_input"
#12 0x00007f6759f902c8 in io_loop_call_io (io=0x91ad50) at ioloop.c:384
        ioloop = 0x902610
        t_id = 2
#13 0x00007f6759f91327 in io_loop_handler_run (ioloop=<value optimized out>)
    at ioloop-epoll.c:213
        ctx = 0x902840
        events = 0x800932898
        event = 0x9028b0
        list = 0x925e60
        io = <value optimized out>
        tv = {
          tv_sec = 1799,
          tv_usec = 999391
        }
        msecs = <value optimized out>
        ret = 1
        i = <value optimized out>
        call = <value optimized out>
#14 0x00007f6759f90258 in io_loop_run (ioloop=0x902610) at ioloop.c:405
No locals.
#15 0x00007f6759f7e793 in master_service_run (service=0x9024e0,
    callback=<value optimized out>) at master-service.c:478
No locals.
#16 0x0000000000408f37 in main (argc=1, argv=0x902370) at main.c:375
        set_roots = {0x41be60, 0x0}
        service_flags = <value optimized out>
        storage_service_flags = <value optimized out>
        postlogin_socket_path = 0x0
        username = <value optimized out>
        c = <value optimized out>

In src/lib-storage/index/index-search.c:search_msgset_fix()
(frame #0 above),  "range = array_get(seqset, &count);" sets
"count" local variable to 0.

static void search_msgset_fix(unsigned int messages_count,
			      ARRAY_TYPE(seq_range) *seqset,
			      uint32_t *seq1_r, uint32_t *seq2_r, bool not)
{
	const struct seq_range *range;
	unsigned int count;
	uint32_t min_seq, max_seq;

	if (!search_msgset_fix_limits(messages_count, seqset, not)) {
		*seq1_r = (uint32_t)-1;
		*seq2_r = 0;
		return;
	}

	range = array_get(seqset, &count);     <- count gets value 0
	if (!not) {
		min_seq = range[0].seq1;
		max_seq = range[count-1].seq2;
	} else {
		min_seq = range[0].seq1 > 1 ? 1 : range[0].seq2 + 1;
		max_seq = range[count-1].seq2 < messages_count ?
                                   ^
                                   |
                            segfault at here

-- 
-- Name: SATOH Fumiyasu (fumiyas @ osstech co jp)
-- Business Home: http://www.OSSTech.co.jp/
-- Personal Home: http://www.SFO.jp/blog/


More information about the dovecot mailing list