Segfault on LIST Command

Aki Tuomi aki.tuomi at dovecot.fi
Mon Jan 23 08:37:10 UTC 2017 


On 19.01.2017 15:56, Thorsten Hater wrote:
> The Problem arises due to a NULL deref in mail_namespaces.c line 601.
> Backtrace below
>
> x LIST "" ""
>
> Program received signal SIGSEGV, Segmentation fault.
> mail_namespaces_get_root_sep (namespaces=0x0) at mail-namespace.c:601
> 601 while ((namespaces->flags & NAMESPACE_FLAG_LIST_PREFIX) == 0)
> (gdb) bt
> #0  mail_namespaces_get_root_sep (namespaces=0x0) at mail-namespace.c:601
> #1  0x000000000041164c in cmd_list_ref_root (ref=0x65b060 "",
> client=0x65a590) at cmd-list.c:324
> #2  cmd_list_full (cmd=0x65aee0, lsub=<optimized out>) at cmd-list.c:461
> #3  0x0000000000419825 in command_exec (cmd=cmd at entry=0x65aee0) at
> imap-commands.c:181
> #4  0x0000000000417de2 in client_command_input (cmd=cmd at entry=0x65aee0) at
> imap-client.c:988
> #5  0x0000000000417e70 in client_command_input (cmd=0x65aee0) at
> imap-client.c:1048
> #6  0x00000000004181e5 in client_handle_next_command
> (remove_io_r=<synthetic pointer>, client=0x65a590) at imap-client.c:1090
> #7  client_handle_input (client=0x65a590) at imap-client.c:1102
> #8  0x0000000000418692 in client_input (client=0x65a590) at
> imap-client.c:1149
> #9  0x00007ffff76297ac in io_loop_call_io (io=0x652aa0) at ioloop.c:589
> #10 0x00007ffff762ab4a in io_loop_handler_run_internal
> (ioloop=ioloop at entry=0x63e7f0)
> at ioloop-epoll.c:222
> #11 0x00007ffff7629835 in io_loop_handler_run (ioloop=ioloop at entry=0x63e7f0)
> at ioloop.c:637
> #12 0x00007ffff76299d8 in io_loop_run (ioloop=0x63e7f0) at ioloop.c:613
> #13 0x00007ffff75b9823 in master_service_run (service=0x63e690,
> callback=callback at entry=0x423d40 <client_connected>) at master-service.c:641
> #14 0x000000000040c567 in main (argc=3, argv=0x63e390) at main.c:460
>
> On Thu, Jan 19, 2017 at 1:05 PM, Thorsten Hater <thorsten.hater at gmail.com>
> wrote:
>
>> Dear all,
>>
>> I experience SegFaults in the imap binary on a LIST "" "" command,
>> as sent by Claws mail. Using LIST "" "INBOX" or similar is fine.
>> Here is an example telnet session
>>
>> $ telnet 127.0.0.1 143
>> Trying 127.0.0.1...
>> Connected to 127.0.0.1.
>> Escape character is '^]'.
>> * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE
>> AUTH=PLAIN] Dovecot ready.
>> 01 LOGIN **** ****
>> 01 OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE
>> IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS THREAD=ORDEREDSUBJECT
>> MULTIAPPEND URL-PARTIAL CATENATE UNSELECT CHILDREN NAMESPACE UIDPLUS
>> LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN
>> CONTEXT=SEARCH LIST-STATUS BINARY MOVE SPECIAL-USE QUOTA] Logged in
>> 02 LIST "" ""
>> Connection closed by foreign host.
>>
>> In the log file
>>
>> dovecot[8375]: imap(***): Fatal: master: service(imap): child 15803 killed
>> with signal 11 (core dumps disabled)
>>
>> Please find the config below.
>>
>> Best regards,
>>  Thorsten
>>
>> $ doveconf -n
>> # 2.2.26.0 (23d1de6): /etc/dovecot/dovecot.conf
>> # Pigeonhole version 0.4.16 (1dc4c73)
>> # OS: Linux 3.16.0-4-amd64 x86_64 Debian 8.6
>> auth_debug = yes
>> auth_debug_passwords = yes
>> auth_socket_path = /var/run/dovecot/auth-userdb
>> auth_verbose = yes
>> base_dir = /var/run/dovecot/
>> default_internal_user = pop
>> first_valid_uid = 48
>> import_environment = TZ DEBUG=1
>> last_valid_uid = 48
>> login_trusted_networks = ****
>> mail_debug = yes
>> mail_gid = pop
>> mail_plugins = " mail_log notify zlib quota"
>> mail_uid = pop
>> managesieve_notify_capability = mailto
>> managesieve_sieve_capability = fileinto reject envelope encoded-character
>> vacation subaddress comparator-i;ascii-numeric relational regex imap4flags
>> copy include variables body enotify environment mailbox date index ihave
>> duplicate mime foreverypart extracttext
>> namespace inbox {
>>   inbox = yes
>>   list = children
>>   location =
>>   mailbox Drafts {
>>     auto = no
>>     special_use = \Drafts
>>   }
>>   mailbox Sent {
>>     auto = no
>>     special_use = \Sent
>>   }
>>   mailbox Trash {
>>     auto = no
>>     autoexpunge = 30 days
>>     special_use = \Trash
>>   }
>>   mailbox drafts {
>>     auto = no
>>     special_use = \Drafts
>>   }
>>   mailbox sent {
>>     auto = no
>>     special_use = \Sent
>>   }
>>   mailbox spamverdacht {
>>     auto = no
>>     autoexpunge = 30 days
>>     special_use = \Junk
>>   }
>>   mailbox trash {
>>     auto = no
>>     autoexpunge = 30 days
>>     special_use = \Trash
>>   }
>>   mailbox virenverdacht {
>>     auto = no
>>     autoexpunge = 30 days
>>     special_use = \Junk
>>   }
>>   prefix = INBOX.
>>   separator = .
>>   subscriptions = yes
>>   type = private
>> }
>> passdb {
>>   args = nopassword=y
>>   driver = static
>> }
>> plugin {
>>   last_login_dict = file:~/lastlogin
>>   mail_log_events = delete undelete expunge copy mailbox_delete
>> mailbox_rename
>>   mail_log_fields = uid box msgid size
>>   quota = maildir:User quota
>>   quota_warning = storage=80%% 80 %u %{userdb:quota_bytes}
>>   quota_warning2 = storage=90%% 90 %u %{userdb:quota_bytes}
>>   quota_warning3 = storage=95%% 95 %u %{userdb:quota_bytes}
>>   sieve = ldap:/etc/dovecot/pigeonhole-ldap.conf
>>   sieve_dir = ~/sieve
>>   sieve_plugins = sieve_storage_ldap
>>   zlib_save = gz
>>   zlib_save_level = 6
>> }
>> service imap {
>>   executable = imap postlogin
>> }
>> service pop3 {
>>   executable = pop3 postlogin
>> }
>> service postlogin {
>>   executable = script-login -d rawlog
>> }
>> service quota-warning {
>>   executable = script /bin/quota-warning.sh
>> }
>> ssl = no
>> userdb {
>>   args = /etc/dovecot/userdb-ldap.conf
>>   driver = ldap
>>   result_failure = return-fail
>>   result_internalfail = return-fail
>>   result_success = continue-ok
>> }
>> userdb {
>>   default_fields = quota_bytes=42M
>>   driver = bdb_quota
>>   override_fields = quota_rule=*:bytes=%{userdb:quota_bytes}
>>   result_failure = return-fail
>>   result_internalfail = return-fail
>>   result_success = continue-ok
>> }
>> verbose_proctitle = yes
>> protocol lda {
>>   auth_socket_path = /var/run/dovecot/auth-userdb
>>   mail_plugin_dir = /lib/dovecot/modules
>>   mail_plugins = " mail_log notify zlib quota sieve"
>> }
>> protocol imap {
>>   mail_plugins = " mail_log notify zlib quota imap_xauth last_login
>> imap_quota"
>> }
>> protocol pop3 {
>>   mail_plugins = " mail_log notify zlib quota last_login"
>> }
>>

Hi!

We are looking into this crash.

Are you intentionally setting inbox namespace location to empty?

Aki

More information about the dovecot mailing list