[Dovecot] imap segfaults on UID SEARCH NOT <NON-EXISTENT-ID>

28 Jul 2011

      Hi,
Dovecot 2.0.13 imap process segfaults in the following scenario
on Debian GNU/Linux unstable (amd64) and Solaris 10 (amd64):
$ telnet localhost imap
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.

OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS AUTH=PLAIN] Dovecot ready.
1 login username password
1 OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS MULTIAPPEND UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS] Logged in
2 select INBOX
FLAGS (\Answered \Flagged \Deleted \Seen \Draft)
OK [PERMANENTFLAGS (\Answered \Flagged \Deleted \Seen \Draft \*)] Flags permitted.
3 EXISTS
0 RECENT
OK [UNSEEN 1] First unseen.
OK [UIDVALIDITY 1311811715] UIDs valid
OK [UIDNEXT 4] Predicted next UID
OK [HIGHESTMODSEQ 1] Highest
2 OK [READ-WRITE] Select completed.
3 uid search all
SEARCH 1 2 3
3 OK Search completed (0.000 secs).
4 uid search not 2
SEARCH 1 3
4 OK Search completed (0.000 secs).
5 uid search not 99
Connection closed by foreign host.
zsh: exit 1     telnet localhost imap

gdb backtrace is the following:
#0  search_msgset_fix (messages_count=3, seqset=<value optimized out>, seq1_r=0x9340f8,
seq2_r=0x9340fc, not=true) at index-search.c:774
range = 0x9328a0
count = <value optimized out>
min_seq = 1
max_seq = <value optimized out>
#1  0x00007f675a215663 in search_msgset_fix (messages_count=3, args=0x9327d8,
seq1_r=0x9340f8, seq2_r=0x9340fc) at index-search.c:763
No locals.
#2  search_parse_msgset_args (messages_count=3, args=0x9327d8, seq1_r=0x9340f8,
seq2_r=0x9340fc) at index-search.c:857
__FUNCTION__ = "search_parse_msgset_args"
#3  0x00007f675a215b4a in search_get_seqset (t=<value optimized out>, args=0x932710,
sort_program=<value optimized out>) at index-search.c:953
No locals.
#4  index_storage_search_init (t=<value optimized out>, args=0x932710,
sort_program=<value optimized out>) at index-search.c:1097
ctx = 0x934090
status = {
messages = 3,
recent = 0,
unseen = 3,
uidvalidity = 1311811715,
uidnext = 4,
first_unseen_seq = 0,
first_recent_uid = 4,
highest_modseq = 0,
virtual_size = 0,
keywords = 0x0,
cache_fields = 0x0,
nonpermanent_modseqs = 0
}
#5  0x00000000004166e5 in imap_search_start (ctx=0x926008, sargs=0x932710,
sort_program=0x0) at imap-search.c:540
cmd = 0x925f00
wanted_fields = 0
wanted_headers = 0x0
#6  0x000000000040d726 in cmd_search (cmd=0x925f00) at cmd-search.c:45
ctx = 0x926008
sargs = 0x932710
args = 0x928758
charset = 0x419b95 "UTF-8"
ret = <value optimized out>
#7  0x000000000041079d in client_command_input (cmd=0x925f00) at imap-client.c:672
client = 0x9257e0
command = <value optimized out>
__FUNCTION__ = "client_command_input"
#8  0x0000000000410875 in client_command_input (cmd=0x925f00) at imap-client.c:722
client = 0x9257e0
command = <value optimized out>
__FUNCTION__ = "client_command_input"
#9  0x0000000000410ab5 in client_handle_next_command (client=0x9257e0) at imap-client.c:763
size = 21
#10 client_handle_input (client=0x9257e0) at imap-client.c:775
_data_stack_cur_id = 3
ret = 176
remove_io = false
handled_commands = false
__FUNCTION__ = "client_handle_input"
#11 0x0000000000411322 in client_input (client=0x9257e0) at imap-client.c:814
cmd = <value optimized out>
output = 0x925dc8
bytes = 21
__FUNCTION__ = "client_input"
#12 0x00007f6759f902c8 in io_loop_call_io (io=0x91ad50) at ioloop.c:384
ioloop = 0x902610
t_id = 2
#13 0x00007f6759f91327 in io_loop_handler_run (ioloop=<value optimized out>)
at ioloop-epoll.c:213
ctx = 0x902840
events = 0x800932898
event = 0x9028b0
list = 0x925e60
io = <value optimized out>
tv = {
tv_sec = 1799,
tv_usec = 999391
}
msecs = <value optimized out>
ret = 1
i = <value optimized out>
call = <value optimized out>
#14 0x00007f6759f90258 in io_loop_run (ioloop=0x902610) at ioloop.c:405
No locals.
#15 0x00007f6759f7e793 in master_service_run (service=0x9024e0,
callback=<value optimized out>) at master-service.c:478
No locals.
#16 0x0000000000408f37 in main (argc=1, argv=0x902370) at main.c:375
set_roots = {0x41be60, 0x0}
service_flags = <value optimized out>
storage_service_flags = <value optimized out>
postlogin_socket_path = 0x0
username = <value optimized out>
c = <value optimized out>
In src/lib-storage/index/index-search.c:search_msgset_fix()
(frame #0 above),  "range = array_get(seqset, &count);" sets
"count" local variable to 0.
static void search_msgset_fix(unsigned int messages_count,
ARRAY_TYPE(seq_range) *seqset,
uint32_t *seq1_r, uint32_t *seq2_r, bool not)
{
const struct seq_range *range;
unsigned int count;
uint32_t min_seq, max_seq;
if (!search_msgset_fix_limits(messages_count, seqset, not)) {
	*seq1_r = (uint32_t)-1;
	*seq2_r = 0;
	return;
}

range = array_get(seqset, &count);     <- count gets value 0
if (!not) {
	min_seq = range[0].seq1;
	max_seq = range[count-1].seq2;
} else {
	min_seq = range[0].seq1 > 1 ? 1 : range[0].seq2 + 1;
	max_seq = range[count-1].seq2 < messages_count ?
                               ^
                               |
                        segfault at here
--
-- Name: SATOH Fumiyasu (fumiyas @ osstech co jp)
-- Business Home: http://www.OSSTech.co.jp/
-- Personal Home: http://www.SFO.jp/blog/

SATOH Fumiyasu

Timo Sirainen

tags

participants (2)