On 09 Dec 2015, at 10:55, Peter Eriksson peter@ifm.liu.se wrote:
Just found a coredump from the imap process for one of our users on dovecot 2.2.19 on a Solaris 10/x86 system:
Dec 8 14:33:17 mail dovecot: [ID 583609 mail.crit] imap(leijo): Fatal: master: service(imap): child 14465 killed with signal 11 (core dumped)
Please find attached dovecot -n output and some gdb backtrace. It seems that cmd->client was NULL when dereferencing it at line 178 in imap-commands.c (in the function command_exec):
178 cmd->bytes_in += i_stream_get_absolute_offset(cmd->client->input) - 179 cmd_start_bytes_in;
Please let me know if you need more information. I don't know what the users was doing at that specific time.
That's pretty strange. The command seems to have been freed to early. v2.2.20 has some changes related to this, but I don't think it fixed a bug exactly like this. I added some new asserts to try to catch this earlier: http://hg.dovecot.org/dovecot-2.2/rev/4535ac0b8ab1