[Dovecot] imap crash during URLFETCH
Dovecot-2.2.1's imap processes crash reliably when they use an IMAP URL with an invalid access specifier. A backtrace and some debug output follows. The crash is likely caused by imap_urlauth_fetch_parsed() returning 0 without having set *mpurl_r to NULL, and then imap_urlauth_fetch_local() freeing an uninitialized pointer.
Exception Type: EXC_BAD_ACCESS (SIGSEGV) Exception Codes: KERN_INVALID_ADDRESS at 0x0000000000001059 0 libdovecot-storage.0.dylib 0x000000010b06a383 imap_msgpart_url_free + 17 1 imap 0x000000010afc71cc imap_urlauth_fetch_local + 770 2 imap 0x000000010afc6dcf imap_urlauth_fetch_url + 439 3 imap 0x000000010afbb489 cmd_urlfetch + 580 4 imap 0x000000010afbdf4d command_exec + 55 5 imap 0x000000010afbdabb client_command_input + 34 6 imap 0x000000010afbdc7c client_command_input + 483 7 imap 0x000000010afbd351 client_handle_input + 239 8 imap 0x000000010afbc613 client_input + 119 9 libdovecot.0.dylib 0x000000010b111c74 io_loop_call_io + 46 10 libdovecot.0.dylib 0x000000010b112c85 io_loop_handler_run + 214 11 libdovecot.0.dylib 0x000000010b111e1f io_loop_run + 77 12 libdovecot.0.dylib 0x000000010b0d10c6 master_service_run + 24 13 imap 0x000000010afc5aba main + 1010 14 libdyld.dylib 0x00007fff89e5f7bd start + 1
Apr 29 20:00:31 imap(pid 82429 user mja): Debug: Fetching local URLAUTH imap://mja@duck.example.com/INBOX;uidvalidity=1366726248/;uid=19;urlauth=submit+mja:internal:012c9c6a3d74db6509e4a3802a0f5edf64546608b8 Apr 29 20:00:31 imap(pid 82429 user mja): Debug: Failed to fetch URLAUTH "imap://mja@duck.example.com/INBOX;uidvalidity=1366726248/;uid=19;urlauth=submit+mja:internal:012c9c6a3d74db6509e4a3802a0f5edf64546608b8": No 'submit+mja' access allowed for user mja Apr 29 20:00:31 imap(pid 82429 user mja): Fatal: master: service(imap): child 82429 killed with signal 11 (core dumps disabled)
On 30.4.2013, at 4.07, Mike Abbott <michael.abbott@apple.com> wrote:
Dovecot-2.2.1's imap processes crash reliably when they use an IMAP URL with an invalid access specifier. A backtrace and some debug output follows. The crash is likely caused by imap_urlauth_fetch_parsed() returning 0 without having set *mpurl_r to NULL, and then imap_urlauth_fetch_local() freeing an uninitialized pointer.
Right, fixed: http://hg.dovecot.org/dovecot-2.2/rev/24aa10efe132
I also noticed another crash: http://hg.dovecot.org/dovecot-2.2/rev/2a3134b0c25d
without having set *mpurl_r to NULL
Right, fixed: http://hg.dovecot.org/dovecot-2.2/rev/24aa10efe132
That fixes it, thanks, but I wonder if it's incomplete? I notice that these also sometimes don't set *mpurl_r: imap_msgpart_url_create() imap_msgpart_url_parse() imap_urlauth_fetch()
That last one in particular is called from imap_urlauth_fetch_local() in the same way as the one you fixed.
On 3.5.2013, at 4.19, Mike Abbott <michael.abbott@apple.com> wrote:
without having set *mpurl_r to NULL
Right, fixed: http://hg.dovecot.org/dovecot-2.2/rev/24aa10efe132
That fixes it, thanks, but I wonder if it's incomplete? I notice that these also sometimes don't set *mpurl_r: imap_msgpart_url_create() imap_msgpart_url_parse() imap_urlauth_fetch()
That last one in particular is called from imap_urlauth_fetch_local() in the same way as the one you fixed.
Well, Dovecot functions in general don't set stuff to NULL when it returns failure, so I shouldn't have fixed it that way.. These fix the bugs I found: http://hg.dovecot.org/dovecot-2.2/rev/a45bfb4c7d66
clang static analyzer is pretty good at catching these though, wonder why it didn't catch these.
participants (2)
-
Mike Abbott
-
Timo Sirainen