Hi, There seems to be a straightforward bug in src/lib-storage/list/mailbox-list-fs.c:79. set->index_dir is unchecked prior to dereferencing (unlike on line 126 in the same file, where it is properly checked). This manifested on a FreeBSD server running dovecot 2.3.6 when clients tried to retrieve mail with subscriptions like `~/bar/baz`. This caused the `imap` child to crash, e.g. (slightly anonymized) Core was generated by `imap: [foo w.x.y.z EXAMINE]'. Program terminated with signal SIGSEGV, Segmentation fault. #0 0x0000000011593af4 in fs_list_get_path (_list=0x12444848, name=0x12416880 "/home/foo/bar/baz", type=MAILBOX_LIST_PATH_TYPE_INDEX, path_r=0x7fffffffe150) at mailbox-list-fs.c:79 79 *set->index_dir == '\0') (gdb) bt #0 0x0000000011593af4 in fs_list_get_path (_list=0x12444848, name=0x12416880 "/home/foo/bar/baz", type=MAILBOX_LIST_PATH_TYPE_INDEX, path_r=0x7fffffffe150) at mailbox-list-fs.c:79 #1 0x0000000011559dd0 in mbox_list_get_path (list=0x12444848, name=0x124da410 "~/bar/baz", type=MAILBOX_LIST_PATH_TYPE_INDEX, path_r=0x7fffffffe2c8) at mbox-storage.c:96 #2 0x000000001150ed0b in mailbox_list_get_path (list=0x12444848, name=0x124da410 "~/bar/baz", type=MAILBOX_LIST_PATH_TYPE_INDEX, path_r=0x7fffffffe2c8) at mailbox-list.c:1387 #3 0x00000000114f8aaf in get_path_to (box=0x124da048, type=MAILBOX_LIST_PATH_TYPE_INDEX, internal_path=0x124da250, path_r=0x7fffffffe2c8) at mail-storage.c:2662 #4 0x00000000114f89e9 in mailbox_get_path_to (box=0x124da048, type=MAILBOX_LIST_PATH_TYPE_INDEX, path_r=0x7fffffffe2c8) at mail-storage.c:2678 #5 0x00000000114f928c in mailbox_create_missing_dir (box=0x124da048, type=MAILBOX_LIST_PATH_TYPE_INDEX) at mail-storage.c:2826 #6 0x00000000115cf049 in index_storage_mailbox_alloc_index (box=0x124da048) at index-storage.c:243 #7 0x00000000115cf43f in index_storage_mailbox_open (box=0x124da048, move_to_memory=false) at index-storage.c:297 #8 0x000000001155a715 in mbox_mailbox_open_finish (mbox=0x124da048, move_to_memory=false) at mbox-storage.c:413 #9 0x000000001155a94b in mbox_mailbox_open_existing (mbox=0x124da048) at mbox-storage.c:452 #10 0x0000000011559309 in mbox_mailbox_open (box=0x124da048) at mbox-storage.c:489 #11 0x00000000115a446e in mailbox_list_index_open_mailbox (box=0x124da048) at mailbox-list-index.c:720 #12 0x00000000114f43ed in mailbox_open_full (box=0x124da048, input=0x0) at mail-storage.c:1294 #13 0x00000000114f4117 in mailbox_open (box=0x124da048) at mail-storage.c:1350 #14 0x000000000103d788 in select_open (ctx=0x12443228, mailbox=0x12416810 "~/bar/baz", readonly=true) at cmd-select.c:287 #15 0x000000000103d307 in cmd_select_full (cmd=0x12443048, readonly=true) at cmd-select.c:415 #16 0x0000000001034afa in cmd_examine (cmd=0x12443048) at cmd-examine.c:8 #17 0x000000000104a520 in command_exec (cmd=0x12443048) at imap-commands.c:201 #18 0x000000000104804e in client_command_input (cmd=0x12443048) at imap-client.c:1164 #19 0x00000000010483cf in client_command_input (cmd=0x12443048) at imap-client.c:1227 #20 0x00000000010469fc in client_handle_next_command (client=0x12442848, remove_io_r=0x7fffffffe8c7) at imap-client.c:1269 #21 0x00000000010463c0 in client_handle_input (client=0x12442848) at imap-client.c:1283 #22 0x0000000001044134 in client_input (client=0x12442848) at imap-client.c:1329 #23 0x0000000011b6bd1c in io_loop_call_io (io=0x1244f240) at ioloop.c:703 #24 0x0000000011b6fc08 in io_loop_handler_run_internal (ioloop=0x1242b0a0) at ioloop-kqueue.c:160 #25 0x0000000011b6c37e in io_loop_handler_run (ioloop=0x1242b0a0) at ioloop.c:755 #26 0x0000000011b6c146 in io_loop_run (ioloop=0x1242b0a0) at ioloop.c:728 #27 0x0000000011a87dcb in master_service_run (service=0x12436000, callback=0x1060080 <client_connected>) at master-service.c:781 #28 0x000000000105f870 in main (argc=1, argv=0x7fffffffeb20) at main.c:523 (gdb) p set->index_dir $3 = 0x0 The following one-liner fixes the immediate problem (although I didn't look closely to see what set->index_dir means in the context of MAILBOX_LIST_PATH_TYPE_INDEX): --- src/lib-storage/list/mailbox-list-fs.c~ 2019-04-30 06:25:06.000000000 -0600 +++ src/lib-storage/list/mailbox-list-fs.c 2019-08-02 16:23:57.254087000 -0600 @@ -76,6 +76,7 @@ if (mailbox_list_try_get_absolute_path(_list, &name)) { if (type == MAILBOX_LIST_PATH_TYPE_INDEX && + set->index_dir != NULL && *set->index_dir == '\0') return 0; *path_r = name; David