[PATH] expire plugins segfault with misconfigured dict

Lazy lazy404 at gmail.com
Mon Jul 7 13:18:10 UTC 2014 

dovecot 2.2.13

With configuration like

plugin {

 expire_dict = blblbla
}

expiere plugins segfaults during deinit. It might also segfault if the
dict service was unavaiable.

attached bellow is a diff against 2.2.13

Jul  7 14:51:11 dovecot1 dovecot: lmtp(10548, lazy): Error: expire
plugin: dict_init(blblbla) failed: Dictionary URI is missing ':':
blblbla

Jul  7 14:51:11 dovecot1 dovecot: lmtp(10548, lazy): Fatal: master:
service(lmtp): child 10548 killed with signal 11 (core dumps disabled)


Program received signal SIGSEGV, Segmentation fault.

0x00007f337d8af8ae in dict_deinit (_dict=0x8) at dict.c:87

87              struct dict *dict = *_dict;

(gdb) bt

#0  0x00007f337d8af8ae in dict_deinit (_dict=0x8) at dict.c:87

#1  0x00007f337c88f647 in expire_mail_user_deinit (user=0x1b60e80) at
expire-plugin.c:299

#2  0x00007f337cca3e7f in quota_user_deinit (user=0x1b60e80) at
quota-storage.c:491

#3  0x00007f337dbcb0f1 in mail_user_unref (_user=0x1b2d070) at mail-user.c:163

#4  0x000000000040832b in client_input_data_write_local
(client=0x1b2cf60, input=0x1b43f10) at commands.c:830

#5  0x0000000000408755 in client_input_data_write (client=0x1b2cf60)
at commands.c:939

#6  0x0000000000408b18 in client_input_data_handle (client=0x1b2cf60)
at commands.c:1033

#7  0x0000000000408b52 in client_input_data (client=0x1b2cf60) at
commands.c:1042

#8  0x00007f337d8fc723 in io_loop_call_io (io=0x1b2c360) at ioloop.c:441

#9  0x00007f337d8fe6e5 in io_loop_handler_run_internal
(ioloop=0x1b27740) at ioloop-epoll.c:220

#10 0x00007f337d8fc8be in io_loop_handler_run (ioloop=0x1b27740) at ioloop.c:488

#11 0x00007f337d8fc817 in io_loop_run (ioloop=0x1b27740) at ioloop.c:465

#12 0x00007f337d888d40 in master_service_run (service=0x1b275d0,
callback=0x404b5c <client_connected>) at master-service.c:566

#13 0x0000000000404db2 in main (argc=1, argv=0x1b27390) at main.c:122

(gdb) p _dict

$1 = (struct dict **) 0x8

(gdb) bt full

#0  0x00007f337d8af8ae in dict_deinit (_dict=0x8) at dict.c:87

        dict = 0x10

#1  0x00007f337c88f647 in expire_mail_user_deinit (user=0x1b60e80) at
expire-plugin.c:299

        euser = 0x0

#2  0x00007f337cca3e7f in quota_user_deinit (user=0x1b60e80) at
quota-storage.c:491

        quser = 0x1b62958

        quota_set = 0x1b656a0

#3  0x00007f337dbcb0f1 in mail_user_unref (_user=0x1b2d070) at mail-user.c:163

        user = 0x1b60e80

        __FUNCTION__ = "mail_user_unref"

#4  0x000000000040832b in client_input_data_write_local
(client=0x1b2cf60, input=0x1b43f10) at commands.c:830

        session = 0x1b60a70

        src_mail = 0x1b5c250

        old_uid = 300

        first_uid = 4294967295

        __FUNCTION__ = "client_input_data_write_local"

#5  0x0000000000408755 in client_input_data_write (client=0x1b2cf60)
at commands.c:939

        input = 0x1b43f10

        ret = true

#6  0x0000000000408b18 in client_input_data_handle (client=0x1b2cf60)
at commands.c:1033

        data = 0x1b556b8 "\330\001"

        size = 2

        ret = -1

#7  0x0000000000408b52 in client_input_data (client=0x1b2cf60) at
commands.c:1042


--
Michal Grzedzicki
-------------- next part --------------
A non-text attachment was scrubbed...
Name: expire.path
Type: application/octet-stream
Size: 571 bytes
Desc: not available
URL: <http://dovecot.org/pipermail/dovecot/attachments/20140707/981cdbeb/attachment.obj>

More information about the dovecot mailing list