I am testing migration from Qpopper 4.0.5 and have come across a problem.

Dovecot dies while processing UIDL command when accessing malformed Qpopper's mbox which has duplicated "From " separator. Qpopper occasionally makes such header while rewriting mbox.

In the attached file, unnecessary "From " at line 3.

• Dovecot 1.0.0 on Debian 4.0(x86)

• ext3 filesystem(not NFS)

• description Dovecot dies while processing UIDL command with malformed Qpopper's mbox which has duplicated "From " separator.

  This occurs when "pop3_reuse_xuidl" is "yes".

  conversation with Dovecot

  $ telnet localhost 110
  Trying 127.0.0.1...
  Connected to localhost.
  Escape character is '^]'.
  +OK Dovecot ready.
  user xxxxxxxx
  +OK
  pass xxxxxxxx
  +OK Logged in.
  uidl
  Connection closed by foreign host.
  

• Dovecot configuration # /usr/local/etc/dovecot.conf protocols: imap pop3 ssl_disable: yes disable_plaintext_auth: no login_dir: /usr/local/var/run/dovecot/login login_executable(default): /usr/local/libexec/dovecot/imap-login login_executable(imap): /usr/local/libexec/dovecot/imap-login login_executable(pop3): /usr/local/libexec/dovecot/pop3-login mail_extra_groups: mail mail_location: mbox:~/:INBOX=/var/mail/%u mail_full_filesystem_access: yes mbox_write_locks: fcntl mail_executable(default): /usr/local/libexec/dovecot/imap mail_executable(imap): /usr/local/libexec/dovecot/imap mail_executable(pop3): /usr/local/libexec/dovecot/pop3 mail_plugin_dir(default): /usr/local/lib/dovecot/imap mail_plugin_dir(imap): /usr/local/lib/dovecot/imap mail_plugin_dir(pop3): /usr/local/lib/dovecot/pop3 pop3_reuse_xuidl(default): no pop3_reuse_xuidl(imap): no pop3_reuse_xuidl(pop3): yes pop3_uidl_format(default): pop3_uidl_format(imap): pop3_uidl_format(pop3): %08Xu%08Xv auth default: passdb: driver: pam userdb: driver: passwd socket: type: listen client: path: /var/spool/postfix/private/auth mode: 432 user: postfix group: postfix master:

• how to reproduce

  1. set "pop3_reuse_xuidl = yes".
  2. replace test user's mailbox with attached file.
  3. pop3 login and exec "UIDL". POP3 process will die.

-- // -------------------------------------------------------------- // MAEDA, Go <maeda-g@secom-sanin.co.jp>

POP3(test01): file ../../../src/lib/array.h: line 157 (_array_idx): assertion failed: (idx * array->element_size < array->buffer->used) POP3(test01): Raw backtrace: pop3 [0x80a9fab] -> pop3 [0x80a99a9] -> pop3 [0x807ec2c] -> pop3(index_mail_get_headers+0x254) [0x807eeb4] -> pop3(index_mail_get_first_header+0x18) [0x807ef48] -> pop3(mail_get_first_header+0x16) [0x809b746] -> pop3 [0x8057ae9] -> pop3 [0x8057c7f] -> pop3 [0x805674e] -> pop3(io_loop_handler_run+0x128) [0x80b03e8] -> pop3(io_loop_run+0x28) [0x80af858] -> pop3(main+0x82) [0x8058792] -> /lib/tls/i686/cmov/libc.so.6(__libc_start_main+0xc8) [0xb7dffea8] -> pop3 [0x8055c21] child 4788 (pop3) killed with signal 6

From xxx@xx.xxxxxxx.xx.xx Sat Feb 17 19:27:47 2007 X-UIDL: i[f"!$h*!!S67!!/RW!! From xxx@xx.xxxxxxx.xx.xx Sat Feb 17 19:27:47 2007 Return-Path: <xxx@xx.xxxxxxx.xx.xx> X-Original-To: xxxxxxxx@xx.xxxxxxx.xx.xx Delivered-To: xxxxxxxx@xx.xxxxxxx.xx.xx Received: xxxx xxxx-xxxx-xxxxxx.xxxxxxx.xx.xx (xx [xxx.x.x.x]) xx xx-xxxxxxxx.xxxxxxx.xx.xx (xxxxxxx) xxxx xxxx xx xxxxxxxxxx xxx <xxxxxxxx@xx.xxxxxxx.xx.xx>; xxx, xx xxx xxxx xx:xx:xx +xxxx (xxx) Received: xx xx.xxxxxxx.xx.xx (xxxxxxx, xxxx xxxxxx xx) xx xxxxxxxxxx; xxx, xx xxx xxxx xx:xx:xx +xxxx (xxx) X-Mailer: xxxxxxx xx.x xx xxx.xxxxxx.xx.xx X-HTTP_REFERER: xxxx://xxx.xx-xxxxxxx.xx.xx/xxxx/xxxxx.xxxx Errors-To: xxxxxxxxx@xx-xxxxxxx.xx.xx To: xxxxxxxxx@xx-xxxxxxx.xx.xx From: x.xxxxxxxxx@xxxxxxx.xxx Subject: $x<xxx$x$?$$(xx-xxxx Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="ISO-2022-JP" Message-Id: <xxxxxxxxxxxxxx.xxxxxxxxxx@xx.xxxxxxx.xx.xx> Date: Sat, 17 Feb 2007 19:27:47 +0900 (JST) Status: RO

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

From xxx@xx.xxxxxxx.xx.xx Tue Feb 20 14:06:25 2007 X-UIDL: 7;j"!L;8"!b\%#!pH5!! Return-Path: <xxx@xx.xxxxxxx.xx.xx> X-Original-To: xxxxxxxx@xx.xxxxxxx.xx.xx Delivered-To: xxxxxxxx@xx.xxxxxxx.xx.xx Received: xxxx xxxx-xxxx-xxxxxx.xxxxxxx.xx.xx (xx [xxx.x.x.x]) xx xx-xxxxxxxx.xxxxxxx.xx.xx (xxxxxxx) xxxx xxxx xx xxxxxxxxxx xxx <xxxxxxxx@xx.xxxxxxx.xx.xx>; xxx, xx xxx xxxx xx:xx:xx +xxxx (xxx) Received: xx xx.xxxxxxx.xx.xx (xxxxxxx, xxxx xxxxxx xx) xx xxxxxxxxxx; xxx, xx xxx xxxx xx:xx:xx +xxxx (xxx) X-Mailer: xxxxxxx xx.x xx xxx.xxxxxx.xx.xx X-HTTP_REFERER: xxxx://xxx.xx-xxxxxxx.xx.xx/xxxx/xxxxx.xxxx Errors-To: xxxxxxxxx@xx-xxxxxxx.xx.xx To: xxxxxxxxx@xx-xxxxxxx.xx.xx From: xxxxx@xxxxx-xxx.xx.xx Subject: $x<xxx$x$?$$(xx-xxxx Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="ISO-2022-JP" Message-Id: <xxxxxxxxxxxxxx.xxxxxxxxxx@xx.xxxxxxx.xx.xx> Date: Tue, 20 Feb 2007 14:06:25 +0900 (JST) Status: RO

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx