[Dovecot] Dovecot 2.1.8 crashes when doing POP3 UIDL on empty INBOX

Joseph Tam jtam.home at gmail.com
Sat Jul 7 03:38:23 EEST 2012 

I noticed a bunch of crashes when Gmail users tried to slurp up their
(empty) mailboxes.  The problem is not noticed by clients though, but
it crashes the pop3 process.

POP3 session

 	S: +OK Ready.
 	C: USER user
 	S: +OK
 	C: PASS password
 	S: +OK Logged in.
 	C: UIDL
 	... server crash and disconnects ...

Resulting log

 	Jul 06 16:58:05 pop3(user): Panic: Trying to allocate 0 bytes
 	Jul 06 16:58:05 pop3(user): Error: Raw backtrace: 0xff1e6454 -> 0xff1e4f78 -> 0xff20689c -> 0x18240 -> 0x1843c -
 	> 0x185a0 -> 0x18a1c -> 0x1576c -> 0x159cc -> 0xff1fee6c -> 0xff200e24 -> 0xff1fef60 -> 0xff1d8010 -> 0x13584 -
 	> 0x1285c
 	Jul 06 16:58:14 pop3(user): Fatal: master: service(pop3): child 24972 killed with signal 6 (core dumps disabled)

GDB traceback:
 	#0  i_panic (format=0xff2302f8 "Trying to allocate %u bytes") at failures.c:259
 	#1  0xff2068a4 in pool_alloconly_malloc (pool=0x60330, size=0) at mempool-alloconly.c:259
 	#2  0x00018248 in client_uidls_save (client=0x54d28) at pop3-commands.c:761
 	#3  0x00018444 in cmd_uidl_init (client=0x54d28, seq=0) at pop3-commands.c:793
 	#4  0x000185a8 in cmd_uidl (client=0x54d28, args=0x19eb8 "") at pop3-commands.c:824
 	#5  0x00018a24 in client_command_execute (client=0x54d28, name=0x2b550 "UIDL", args=0x19eb8 "")
 	    at pop3-commands.c:889
 	#6  0x00015774 in client_handle_input (client=0x54d28) at pop3-client.c:629
 	#7  0x000159d4 in client_input (client=0x54d28) at pop3-client.c:682
 	#8  0xff1fee74 in io_loop_call_io (io=0x37298) at ioloop.c:379
 	#9  0xff200e2c in io_loop_handler_run (ioloop=0x34138) at ioloop-poll.c:211
 	#10 0xff1fef68 in io_loop_run (ioloop=0x34138) at ioloop.c:398
 	#11 0xff1d8018 in master_service_run (service=0x33c88, callback=0x13120 <client_connected>)
 	    at master-service.c:543
 	#12 0x0001358c in main (argc=1, argv=0xffbffe0c) at main.c:268

Some non-trivial changes in pop3-commands.c were done between 2.1.3 and
2.1.8 (expecially pop3_uidl_duplicates changes in 2.1.7).  I guess
this bug has crept in there.

Joseph Tam <jtam.home at gmail.com>

More information about the dovecot mailing list