Segfault on LIST Command
Thorsten Hater
thorsten.hater at gmail.com
Thu Jan 19 13:56:27 UTC 2017
The Problem arises due to a NULL deref in mail_namespaces.c line 601.
Backtrace below
x LIST "" ""
Program received signal SIGSEGV, Segmentation fault.
mail_namespaces_get_root_sep (namespaces=0x0) at mail-namespace.c:601
601 while ((namespaces->flags & NAMESPACE_FLAG_LIST_PREFIX) == 0)
(gdb) bt
#0 mail_namespaces_get_root_sep (namespaces=0x0) at mail-namespace.c:601
#1 0x000000000041164c in cmd_list_ref_root (ref=0x65b060 "",
client=0x65a590) at cmd-list.c:324
#2 cmd_list_full (cmd=0x65aee0, lsub=<optimized out>) at cmd-list.c:461
#3 0x0000000000419825 in command_exec (cmd=cmd at entry=0x65aee0) at
imap-commands.c:181
#4 0x0000000000417de2 in client_command_input (cmd=cmd at entry=0x65aee0) at
imap-client.c:988
#5 0x0000000000417e70 in client_command_input (cmd=0x65aee0) at
imap-client.c:1048
#6 0x00000000004181e5 in client_handle_next_command
(remove_io_r=<synthetic pointer>, client=0x65a590) at imap-client.c:1090
#7 client_handle_input (client=0x65a590) at imap-client.c:1102
#8 0x0000000000418692 in client_input (client=0x65a590) at
imap-client.c:1149
#9 0x00007ffff76297ac in io_loop_call_io (io=0x652aa0) at ioloop.c:589
#10 0x00007ffff762ab4a in io_loop_handler_run_internal
(ioloop=ioloop at entry=0x63e7f0)
at ioloop-epoll.c:222
#11 0x00007ffff7629835 in io_loop_handler_run (ioloop=ioloop at entry=0x63e7f0)
at ioloop.c:637
#12 0x00007ffff76299d8 in io_loop_run (ioloop=0x63e7f0) at ioloop.c:613
#13 0x00007ffff75b9823 in master_service_run (service=0x63e690,
callback=callback at entry=0x423d40 <client_connected>) at master-service.c:641
#14 0x000000000040c567 in main (argc=3, argv=0x63e390) at main.c:460
On Thu, Jan 19, 2017 at 1:05 PM, Thorsten Hater <thorsten.hater at gmail.com>
wrote:
> Dear all,
>
> I experience SegFaults in the imap binary on a LIST "" "" command,
> as sent by Claws mail. Using LIST "" "INBOX" or similar is fine.
> Here is an example telnet session
>
> $ telnet 127.0.0.1 143
> Trying 127.0.0.1...
> Connected to 127.0.0.1.
> Escape character is '^]'.
> * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE
> AUTH=PLAIN] Dovecot ready.
> 01 LOGIN **** ****
> 01 OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE
> IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS THREAD=ORDEREDSUBJECT
> MULTIAPPEND URL-PARTIAL CATENATE UNSELECT CHILDREN NAMESPACE UIDPLUS
> LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN
> CONTEXT=SEARCH LIST-STATUS BINARY MOVE SPECIAL-USE QUOTA] Logged in
> 02 LIST "" ""
> Connection closed by foreign host.
>
> In the log file
>
> dovecot[8375]: imap(***): Fatal: master: service(imap): child 15803 killed
> with signal 11 (core dumps disabled)
>
> Please find the config below.
>
> Best regards,
> Thorsten
>
> $ doveconf -n
> # 2.2.26.0 (23d1de6): /etc/dovecot/dovecot.conf
> # Pigeonhole version 0.4.16 (1dc4c73)
> # OS: Linux 3.16.0-4-amd64 x86_64 Debian 8.6
> auth_debug = yes
> auth_debug_passwords = yes
> auth_socket_path = /var/run/dovecot/auth-userdb
> auth_verbose = yes
> base_dir = /var/run/dovecot/
> default_internal_user = pop
> first_valid_uid = 48
> import_environment = TZ DEBUG=1
> last_valid_uid = 48
> login_trusted_networks = ****
> mail_debug = yes
> mail_gid = pop
> mail_plugins = " mail_log notify zlib quota"
> mail_uid = pop
> managesieve_notify_capability = mailto
> managesieve_sieve_capability = fileinto reject envelope encoded-character
> vacation subaddress comparator-i;ascii-numeric relational regex imap4flags
> copy include variables body enotify environment mailbox date index ihave
> duplicate mime foreverypart extracttext
> namespace inbox {
> inbox = yes
> list = children
> location =
> mailbox Drafts {
> auto = no
> special_use = \Drafts
> }
> mailbox Sent {
> auto = no
> special_use = \Sent
> }
> mailbox Trash {
> auto = no
> autoexpunge = 30 days
> special_use = \Trash
> }
> mailbox drafts {
> auto = no
> special_use = \Drafts
> }
> mailbox sent {
> auto = no
> special_use = \Sent
> }
> mailbox spamverdacht {
> auto = no
> autoexpunge = 30 days
> special_use = \Junk
> }
> mailbox trash {
> auto = no
> autoexpunge = 30 days
> special_use = \Trash
> }
> mailbox virenverdacht {
> auto = no
> autoexpunge = 30 days
> special_use = \Junk
> }
> prefix = INBOX.
> separator = .
> subscriptions = yes
> type = private
> }
> passdb {
> args = nopassword=y
> driver = static
> }
> plugin {
> last_login_dict = file:~/lastlogin
> mail_log_events = delete undelete expunge copy mailbox_delete
> mailbox_rename
> mail_log_fields = uid box msgid size
> quota = maildir:User quota
> quota_warning = storage=80%% 80 %u %{userdb:quota_bytes}
> quota_warning2 = storage=90%% 90 %u %{userdb:quota_bytes}
> quota_warning3 = storage=95%% 95 %u %{userdb:quota_bytes}
> sieve = ldap:/etc/dovecot/pigeonhole-ldap.conf
> sieve_dir = ~/sieve
> sieve_plugins = sieve_storage_ldap
> zlib_save = gz
> zlib_save_level = 6
> }
> service imap {
> executable = imap postlogin
> }
> service pop3 {
> executable = pop3 postlogin
> }
> service postlogin {
> executable = script-login -d rawlog
> }
> service quota-warning {
> executable = script /bin/quota-warning.sh
> }
> ssl = no
> userdb {
> args = /etc/dovecot/userdb-ldap.conf
> driver = ldap
> result_failure = return-fail
> result_internalfail = return-fail
> result_success = continue-ok
> }
> userdb {
> default_fields = quota_bytes=42M
> driver = bdb_quota
> override_fields = quota_rule=*:bytes=%{userdb:quota_bytes}
> result_failure = return-fail
> result_internalfail = return-fail
> result_success = continue-ok
> }
> verbose_proctitle = yes
> protocol lda {
> auth_socket_path = /var/run/dovecot/auth-userdb
> mail_plugin_dir = /lib/dovecot/modules
> mail_plugins = " mail_log notify zlib quota sieve"
> }
> protocol imap {
> mail_plugins = " mail_log notify zlib quota imap_xauth last_login
> imap_quota"
> }
> protocol pop3 {
> mail_plugins = " mail_log notify zlib quota last_login"
> }
>
More information about the dovecot
mailing list