Hi All!

Some time ago, we received e-mail message, which makes our server CPU exhaustion attack.

PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND 26319 5751796 20 0 2868 1868 1484 R 99.2 0.1 22:04.77 imap

It happens when I try open mail folder with this buggy message.

Our setup: -- slackware 11.0, x86_32 -- linux 2.6.31.6 -- dovecot 1.2.10 -- mailbox(not maildir) via NFS storage.

Details:

1. Buggy message 1219733 byte size. And most of this size is mail header.

2. Mail header mostly consists of a repeating block:

[...]

MIME-Version: 1.0 Content-type: text/plain; charset=windows-1251 Content-transfer-encoding: 8bit Date: Thu, 25 Feb 2010 11:13:03 +0300 X-Priority: 0 X-MSMail-Priority: Normal X-Mailer: Microsoft Office Outlook, Build 11.0.5510 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441 X-Sender: torrents@rutracker.org Reply-to: torrents@rutracker.org From: torrents@rutracker.org Message-ID: 4052c9f301d0956f3fa1e855cca02d39@rutracker.org

[...]

MIME-Version: 1.0 Content-type: text/plain; charset=windows-1251 Content-transfer-encoding: 8bit Date: Thu, 25 Feb 2010 11:13:02 +0300 X-Priority: 0 X-MSMail-Priority: Normal X-Mailer: Microsoft Office Outlook, Build 11.0.5510 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441 X-Sender: torrents@rutracker.org Reply-to: torrents@rutracker.org From: torrents@rutracker.org Message-ID: 6162ed30245a86b8cb26e4a0bf4de562@rutracker.org

[...]

3.strace show, that dovecot many-many time do:

pread64(6, "-Sender: torrents@rutracker.org\n"..., 4038, 814845) = 4038 pread64(6, "s@rutracker.org\nMessage-ID: <461"..., 4083, 818883) = 4083 pread64(6, "arset=windows-1251\nContent-trans"..., 4068, 822966) = 4068 pread64(6, "ail-Priority: Normal\nX-Mailer: M"..., 4091, 827034) = 4091

4. and gdb in that time:

(gdb) where #0 0xb7604060 in memset () from /lib/tls/libc.so.6 #1 0x080d7483 in buffer_write (_buf=0x8131db0, pos=135470571, data=0x8132d52, data_size=2) at buffer.c:54 #2 0x080d74fb in buffer_append (buf=0x0, data=0x8132d52, data_size=2) at buffer.c:168 #3 0x080cebfe in read_header (mstream=0x8131be8) at istream-header-filter.c:214 #4 0x080cef07 in i_stream_header_filter_read (stream=0x8131be8) at istream-header-filter.c:301 #5 0x080cef79 in parse_header (mstream=0x8131be8) at istream-header-filter.c:323 #6 0x080cefce in i_stream_header_filter_seek (stream=0x8131be8, v_offset=128810, mark=false) at istream-header-filter.c:337 #7 0x080ddfdb in i_stream_seek (stream=0x8131c10, v_offset=128810) at istream.c:198 #8 0x0809c99c in i_stream_mail_stats_read_mail_stats (stream=0x812c460) at istream-mail-stats.c:43 #9 0x080ddbfc in i_stream_read (stream=0x812c488) at istream.c:85 #10 0x080de389 in i_stream_read_data (stream=0x812c488, data_r=0xbf9d82e4, size_r=0xbf9d82e8, threshold=2) at istream.c:366 #11 0x080d400b in message_get_header_size (input=0x812c488, hdr=0x81298fc, has_nuls=0x0) at message-size.c:56 #12 0x0808f976 in index_mail_init_stream (mail=0x81297d0, hdr_size=0xbf9d83b0, body_size=0xbf9d8390, stream_r=0x0) at index-mail.c:852 #13 0x080838a1 in mbox_mail_get_stream (_mail=0x81297d0, hdr_size=0xbf9d83b0, body_size=0xbf9d8390, stream_r=0xbf9d838c) at mbox-mail.c:322 #14 0x0808e9ac in index_mail_get_virtual_size (_mail=0x81297d0, size_r=0xbf9d8400) at index-mail.c:397 #15 0x080685a3 in fetch_rfc822_size (ctx=0x0, mail=0x81297d0, context=0x0) at imap-fetch-body.c:894 #16 0x0806607c in imap_fetch_more (ctx=0x811e030) at imap-fetch.c:472 #17 0x0805e370 in cmd_fetch (cmd=0x811dec8) at cmd-fetch.c:228 #18 0x0806292b in cmd_uid (cmd=0x811dec8) at cmd-uid.c:27 #19 0x08063726 in client_command_input (cmd=0x811dec8) at client.c:612 #20 0x080636d1 in client_command_input (cmd=0x811dec8) at client.c:661 #21 0x080638b3 in client_handle_input (client=0x811cc08) at client.c:701 #22 0x080642d6 in client_input (client=0x811cc08) at client.c:753 #23 0x080e1bf1 in io_loop_handler_run (ioloop=0x0) at ioloop-epoll.c:208 #24 0x080e0f79 in io_loop_run (ioloop=0x8119ab0) at ioloop.c:335 #25 0x0806c21a in main (argc=3, argv=0xbf9d86b4, envp=0xbf9d86c4) at main.c:327

5. I can provide download link to this buggy mailbox file if needed.

=koc