On 04.03.2018 16:25, Reio Remma wrote:

Hello!

I'm having crashes with LMTP delivery when user is over quota on the latest CentOS 7.4 with the latest Dovecot 2.3.0.1 from Dovecot repo.

I see the issue has been fixed on January 17, but it doesn't seem to have made it into 2.3.0.1 (I compared with the source from https://dovecot.org/releases/2.3/dovecot-2.3.0.1.tar.gz).

https://github.com/dovecot/core/commit/2bf919786518d138cc07d9cc21e14ad5e07e5...

I also noticed a similar construct being used on line 465 (rcpt->rcpt.rcpt->path) that was causing the segfault on the above commit on line 136.

struct smtp_address *rcpt_to = rcpt->rcpt.rcpt->path;

Should that also use rcpt->rcpt.path; ?

Thanks from the other side of the gulf! Reio

I now managed to coax a core dump out of CentOS - here it is.

Thanks! Reio

Reading symbols from /usr/libexec/dovecot/lmtp...Reading symbols from /usr/lib/debug/usr/libexec/dovecot/lmtp.debug...done. done. [New LWP 18733] [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib64/libthread_db.so.1". Core was generated by `dovecot/lmtp -L'. Program terminated with signal 11, Segmentation fault. #0  smtp_server_reply (_cmd=0x0, status=552, enh_code=0x562468e05050 "5.2.2", fmt=0x562468e05042 "<%s> %s") at smtp-server-reply.c:210 210             i_assert(cmd->replies_expected <= 1); (gdb) bt full #0  smtp_server_reply (_cmd=0x0, status=552, enh_code=0x562468e05050 "5.2.2", fmt=0x562468e05042 "<%s> %s") at smtp-server-reply.c:210 cmd = args = {{gp_offset = 1790721792, fp_offset = 22052, overflow_arg_area = 0x56246abc3f14, reg_save_area = 0x56246ab70b58}} __func__ = "smtp_server_reply" #1  0x0000562468e034d7 in lmtp_local_deliver (session=0x56246abe2cd8, src_mail=0x56246abde0a8, rcpt=0x56246abada50, trans=0x56246abc3df8, cmd=0x56246ab81868, local=0x56246ab7cba0) at lmtp-local.c:621 set_parser = <optimized out> line = <optimized out> str = 0x56246ab70068 proxy_data = {proto = SMTP_PROXY_PROTOCOL_LMTP, source_ip = {family = 0, u = {ip6 = {__in6_u = {__u6_addr8 = '\000' , __u6_addr16 = {0, 0, 0, 0, 0, 0, 0, 0}, __u6_addr32 = {0, 0, 0, 0}}}, ip4 = {s_addr = 0}}}, source_port = 0, helo = 0x56246abc3c80 "bwo.mrstuudio.ee", login = 0x0, ttl_plus_1 = 0, timeout_secs = 0, extra_fields = 0x0, extra_fields_count = 0} delivery_time_started = {tv_sec = 1520176597, tv_usec = 704043} sets = <optimized out> rcpt_user = 0x56246abe30e8 mail_set = <optimized out> username = <optimized out> rcpt_idx = 0 smtp_set = 0x56246abcf448 lda_set = 0x56246abcf4b8 ns = <optimized out> rcpt_to = 0x56246abc3f00 trcpt = 0x56246abc3ec0 storage = 0x56246abe8838 mail_error = MAIL_ERROR_NOQUOTA ret = <optimized out> client = 0x56246abaf538 service_user = <optimized out> dctx = {pool = 0x56246abe2cb0, set = 0x56246abcf4b8, smtp_set = 0x56246abcf448, session = 0x56246abe2cd8, session_time_msecs = 24, delivery_time_started = {tv_sec = 1520176597, tv_usec = 704043}, dup_db = 0x0, session_id = 0x56246abadab0 "PAN2KNUNnFotSQAAinc3nQ", src_mail = 0x56246abde0a8, mail_from = 0x56246abc3e98, mail_params = {auth = 0x0, body = {type = SMTP_PARAM_MAIL_BODY_TYPE_UNSPECIFIED, ext = 0x0}, envid = 0x0, ret = SMTP_PARAM_MAIL_RET_UNSPECIFIED, size = 0, extra_params = {arr = {buffer = 0x0, element_size = 0}, v = 0x0, v_modifiable = 0x0}}, rcpt_to = 0x56246abc3f00, rcpt_params = {orcpt = {addr_type = 0x0, addr = 0x56246abc3f00, addr_raw = 0x0}, notify = SMTP_PARAM_RCPT_NOTIFY_UNSPECIFIED, extra_params = {arr = {buffer = 0x0, element_size = 0}, v = 0x0, v_modifiable = 0x0}}, rcpt_user = 0x56246abe30e8, rcpt_default_mailbox = 0x562468e05064 "INBOX", dest_mail = 0x0, cache = 0x56246abe2df8, tempfail_error = 0x0, tried_default_save = true, saved_mail = false, save_dest_mail = false, mailbox_full = false, dsn = false} input = <optimized out> var_table = <optimized out> error = 0x56246abfb3a0 "Kasutaja postkast on täis." #2  lmtp_local_deliver_to_rcpts (session=0x56246abe2cd8, trans=0x56246abc3df8, cmd=0x56246ab81868, local=0x56246ab7cba0) at lmtp-local.c:657 rcpt = 0x56246abada50 first_uid = 4294967295 src_mail = 0x56246abde0a8 count = 1 i = 0 rcpts = <optimized out> #3  lmtp_local_data (client=client@entry=0x56246abaf538, cmd=cmd@entry=0x56246ab81868, trans=trans@entry=0x56246abc3df8, input=<optimized out>) at lmtp-local.c:734 local = 0x56246ab7cba0 session = 0x56246abe2cd8 old_uid = 0 #4  0x0000562468e02123 in cmd_data_finish (trans=0x56246abc3df8, cmd=0x56246ab81868, client=0x56246abaf538) at commands.c:144 state = 0x56246abaf5c0 input_proxy = 0x0 input_msg = 0x0 input_local = 0x56246abd5348 inputs = {0x0, 0x56246abcd108, 0x0} #5  cmd_data_continue (conn_ctx=0x56246abaf538, cmd=0x56246ab81868, trans=0x56246abc3df8) at commands.c:190 client = 0x56246abaf538 state = 0x56246abaf5c0 data_input = <optimized out> data = <optimized out> size = 1750 ret = <optimized out> __func__ = "cmd_data_continue" #6  0x00007fc8abd7a250 in cmd_data_handle_input (cmd=0x56246ab81868) at smtp-server-cmd-data.c:199 conn = 0x56246abbeae0 callbacks = 0x562469006720 command = 0x56246ab81868 data_cmd = 0x56246abc3148 ret = <optimized out> __func__ = "cmd_data_handle_input" #7  0x00007fc8abe0cdf5 in io_loop_call_io (io=0x56246abbf020) at ioloop.c:614 ioloop = 0x56246ab76c30 t_id = 2 __func__ = "io_loop_call_io" #8  0x00007fc8abe0e69f in io_loop_handler_run_internal (ioloop=ioloop@entry=0x56246ab76c30) at ioloop-epoll.c:222 ctx = 0x56246ab82190 events = <optimized out> list = 0x56246abafd60 io = <optimized out> tv = {tv_sec = 299, tv_usec = 999415} events_count = <optimized out> msecs = <optimized out> ret = 1 i = 0 call = <optimized out> ---Type <return> to continue, or q <return> to quit--- __func__ = "io_loop_handler_run_internal" #9  0x00007fc8abe0cef2 in io_loop_handler_run (ioloop=ioloop@entry=0x56246ab76c30) at ioloop.c:666 __func__ = "io_loop_handler_run" #10 0x00007fc8abe0d118 in io_loop_run (ioloop=0x56246ab76c30) at ioloop.c:639 __func__ = "io_loop_run" #11 0x00007fc8abd8ace3 in master_service_run (service=0x56246ab76ac0, callback=callback@entry=0x562468e013d0 ) at master-service.c:767 No locals. #12 0x0000562468e011a6 in main (argc=2, argv=0x56246ab76890) at main.c:159 set_roots = {0x7fc8ac095fa0 , 0x7fc8ac5f6ba0 , 0x562469006560 , 0x0} service_flags = <optimized out> storage_service_flags = <optimized out> tmp_base_dir = 0x56246ab6e040 "tp data)" c = <optimized out> error = 0x0

Op 3/4/2018 om 3:25 PM schreef Reio Remma:

Hello!

I'm having crashes with LMTP delivery when user is over quota on the latest CentOS 7.4 with the latest Dovecot 2.3.0.1 from Dovecot repo.

I see the issue has been fixed on January 17, but it doesn't seem to have made it into 2.3.0.1 (I compared with the source from https://dovecot.org/releases/2.3/dovecot-2.3.0.1.tar.gz).

That release is just about the CVEs afaik. The remaining fixes will be in v2.3.1.

https://github.com/dovecot/core/commit/2bf919786518d138cc07d9cc21e14ad5e07e5...

I also noticed a similar construct being used on line 465 (rcpt->rcpt.rcpt->path) that was causing the segfault on the above commit on line 136.

struct smtp_address *rcpt_to = rcpt->rcpt.rcpt->path;

Should that also use rcpt->rcpt.path; ?

It would be a bit cleaner maybe, but at the DATA stage it will not segfault anymore, since the recipient path is definitively put in the transaction.

Regards,

Stephan.