[PATH] expire plugins segfault with misconfigured dict
dovecot 2.2.13
With configuration like
plugin {
expire_dict = blblbla }
expiere plugins segfaults during deinit. It might also segfault if the dict service was unavaiable.
attached bellow is a diff against 2.2.13
Jul 7 14:51:11 dovecot1 dovecot: lmtp(10548, lazy): Error: expire plugin: dict_init(blblbla) failed: Dictionary URI is missing ':': blblbla
Jul 7 14:51:11 dovecot1 dovecot: lmtp(10548, lazy): Fatal: master: service(lmtp): child 10548 killed with signal 11 (core dumps disabled)
Program received signal SIGSEGV, Segmentation fault.
0x00007f337d8af8ae in dict_deinit (_dict=0x8) at dict.c:87
87 struct dict *dict = *_dict;
(gdb) bt
#0 0x00007f337d8af8ae in dict_deinit (_dict=0x8) at dict.c:87
#1 0x00007f337c88f647 in expire_mail_user_deinit (user=0x1b60e80) at expire-plugin.c:299
#2 0x00007f337cca3e7f in quota_user_deinit (user=0x1b60e80) at quota-storage.c:491
#3 0x00007f337dbcb0f1 in mail_user_unref (_user=0x1b2d070) at mail-user.c:163
#4 0x000000000040832b in client_input_data_write_local (client=0x1b2cf60, input=0x1b43f10) at commands.c:830
#5 0x0000000000408755 in client_input_data_write (client=0x1b2cf60) at commands.c:939
#6 0x0000000000408b18 in client_input_data_handle (client=0x1b2cf60) at commands.c:1033
#7 0x0000000000408b52 in client_input_data (client=0x1b2cf60) at commands.c:1042
#8 0x00007f337d8fc723 in io_loop_call_io (io=0x1b2c360) at ioloop.c:441
#9 0x00007f337d8fe6e5 in io_loop_handler_run_internal (ioloop=0x1b27740) at ioloop-epoll.c:220
#10 0x00007f337d8fc8be in io_loop_handler_run (ioloop=0x1b27740) at ioloop.c:488
#11 0x00007f337d8fc817 in io_loop_run (ioloop=0x1b27740) at ioloop.c:465
#12 0x00007f337d888d40 in master_service_run (service=0x1b275d0,
callback=0x404b5c
#13 0x0000000000404db2 in main (argc=1, argv=0x1b27390) at main.c:122
(gdb) p _dict
$1 = (struct dict **) 0x8
(gdb) bt full
#0 0x00007f337d8af8ae in dict_deinit (_dict=0x8) at dict.c:87
dict = 0x10#1 0x00007f337c88f647 in expire_mail_user_deinit (user=0x1b60e80) at expire-plugin.c:299
euser = 0x0#2 0x00007f337cca3e7f in quota_user_deinit (user=0x1b60e80) at quota-storage.c:491
quser = 0x1b62958
quota_set = 0x1b656a0#3 0x00007f337dbcb0f1 in mail_user_unref (_user=0x1b2d070) at mail-user.c:163
user = 0x1b60e80
__FUNCTION__ = "mail_user_unref"#4 0x000000000040832b in client_input_data_write_local (client=0x1b2cf60, input=0x1b43f10) at commands.c:830
session = 0x1b60a70
src_mail = 0x1b5c250
old_uid = 300
first_uid = 4294967295
__FUNCTION__ = "client_input_data_write_local"#5 0x0000000000408755 in client_input_data_write (client=0x1b2cf60) at commands.c:939
input = 0x1b43f10
ret = true#6 0x0000000000408b18 in client_input_data_handle (client=0x1b2cf60) at commands.c:1033
data = 0x1b556b8 "\330\001"
size = 2
ret = -1#7 0x0000000000408b52 in client_input_data (client=0x1b2cf60) at commands.c:1042
-- Michal Grzedzicki
2014-07-07 15:18 GMT+02:00 Lazy
dovecot 2.2.13
With configuration like
plugin {
expire_dict = blblbla }
expiere plugins segfaults during deinit. It might also segfault if the dict service was unavaiable.
attached bellow is a diff against 2.2.13
Jul 7 14:51:11 dovecot1 dovecot: lmtp(10548, lazy): Error: expire plugin: dict_init(blblbla) failed: Dictionary URI is missing ':': blblbla
Jul 7 14:51:11 dovecot1 dovecot: lmtp(10548, lazy): Fatal: master: service(lmtp): child 10548 killed with signal 11 (core dumps disabled)
Program received signal SIGSEGV, Segmentation fault.
0x00007f337d8af8ae in dict_deinit (_dict=0x8) at dict.c:87
87 struct dict *dict = *_dict;
(gdb) bt
#0 0x00007f337d8af8ae in dict_deinit (_dict=0x8) at dict.c:87
#1 0x00007f337c88f647 in expire_mail_user_deinit (user=0x1b60e80) at expire-plugin.c:299
#2 0x00007f337cca3e7f in quota_user_deinit (user=0x1b60e80) at quota-storage.c:491
#3 0x00007f337dbcb0f1 in mail_user_unref (_user=0x1b2d070) at mail-user.c:163
#4 0x000000000040832b in client_input_data_write_local (client=0x1b2cf60, input=0x1b43f10) at commands.c:830
#5 0x0000000000408755 in client_input_data_write (client=0x1b2cf60) at commands.c:939
#6 0x0000000000408b18 in client_input_data_handle (client=0x1b2cf60) at commands.c:1033
#7 0x0000000000408b52 in client_input_data (client=0x1b2cf60) at commands.c:1042
#8 0x00007f337d8fc723 in io_loop_call_io (io=0x1b2c360) at ioloop.c:441
#9 0x00007f337d8fe6e5 in io_loop_handler_run_internal (ioloop=0x1b27740) at ioloop-epoll.c:220
#10 0x00007f337d8fc8be in io_loop_handler_run (ioloop=0x1b27740) at ioloop.c:488
#11 0x00007f337d8fc817 in io_loop_run (ioloop=0x1b27740) at ioloop.c:465
#12 0x00007f337d888d40 in master_service_run (service=0x1b275d0, callback=0x404b5c
) at master-service.c:566 #13 0x0000000000404db2 in main (argc=1, argv=0x1b27390) at main.c:122
(gdb) p _dict
$1 = (struct dict **) 0x8
(gdb) bt full
#0 0x00007f337d8af8ae in dict_deinit (_dict=0x8) at dict.c:87
dict = 0x10
#1 0x00007f337c88f647 in expire_mail_user_deinit (user=0x1b60e80) at expire-plugin.c:299
euser = 0x0
#2 0x00007f337cca3e7f in quota_user_deinit (user=0x1b60e80) at quota-storage.c:491
quser = 0x1b62958
quota_set = 0x1b656a0
#3 0x00007f337dbcb0f1 in mail_user_unref (_user=0x1b2d070) at mail-user.c:163
user = 0x1b60e80
__FUNCTION__ = "mail_user_unref"
#4 0x000000000040832b in client_input_data_write_local (client=0x1b2cf60, input=0x1b43f10) at commands.c:830
session = 0x1b60a70
src_mail = 0x1b5c250
old_uid = 300
first_uid = 4294967295
__FUNCTION__ = "client_input_data_write_local"
#5 0x0000000000408755 in client_input_data_write (client=0x1b2cf60) at commands.c:939
input = 0x1b43f10
ret = true
#6 0x0000000000408b18 in client_input_data_handle (client=0x1b2cf60) at commands.c:1033
data = 0x1b556b8 "\330\001"
size = 2
ret = -1
#7 0x0000000000408b52 in client_input_data (client=0x1b2cf60) at commands.c:1042
reposting -- Michal Grzedzicki --- src/plugins/expire/expire-plugin.c (wersja 1343) +++ src/plugins/expire/expire-plugin.c (kopia robocza) @@ -296,10 +296,12 @@ { struct expire_mail_user *euser = EXPIRE_USER_CONTEXT(user); - dict_deinit(&euser->db); - expire_set_deinit(&euser->set); + if (euser != NULL) { + dict_deinit(&euser->db); + expire_set_deinit(&euser->set); - euser->module_ctx.super.deinit(user); + euser->module_ctx.super.deinit(user); + } } static const char *const *expire_get_patterns(struct mail_user *user)
On 03 Aug 2014, at 15:13, Lazy lazy404@gmail.com wrote:
plugin {
expire_dict = blblbla }
expiere plugins segfaults during deinit. It might also segfault if the dict service was unavaiable.
attached bellow is a diff against 2.2.13
Thanks! I fixed it differently though, better to handle the dict_init() failure the same as other failures: http://hg.dovecot.org/dovecot-2.2/rev/cac32684b3d6
participants (2)
-
Lazy
-
Timo Sirainen