LMTP delivery segfaults when user is over quota.

Stephan Bosch stephan at rename-it.nl
Tue Mar 6 03:37:33 EET 2018 

Op 3/4/2018 om 4:57 PM schreef Reio Remma:
> On 04.03.2018 16:25, Reio Remma wrote:
>> Hello!
>>
>> I'm having crashes with LMTP delivery when user is over quota on the
>> latest CentOS 7.4 with the latest Dovecot 2.3.0.1 from Dovecot repo.
>>
>> I see the issue has been fixed on January 17, but it doesn't seem to
>> have made it into 2.3.0.1 (I compared with the source from
>> https://dovecot.org/releases/2.3/dovecot-2.3.0.1.tar.gz).
>>
>> https://github.com/dovecot/core/commit/2bf919786518d138cc07d9cc21e14ad5e07e5e56#diff-7964e00c46515956a959fa47fc86d605
>>
>> I also noticed a similar construct being used on line 465
>> (rcpt->rcpt.rcpt->path) that was causing the segfault on the above
>> commit on line 136.
>>
>> struct smtp_address *rcpt_to = rcpt->rcpt.rcpt->path;
>>
>> Should that also use rcpt->rcpt.path; ?
>>
>> Thanks from the other side of the gulf!
>> Reio
>>
>
> I now managed to coax a core dump out of CentOS - here it is.

That is this one:
https://github.com/dovecot/core/commit/c23717da4af9d3275cb45cbc67faaa8daa353ec1#diff-7964e00c46515956a959fa47fc86d605

>
> Thanks!
> Reio
>
> Reading symbols from /usr/libexec/dovecot/lmtp...Reading symbols from
> /usr/lib/debug/usr/libexec/dovecot/lmtp.debug...done.
> done.
> [New LWP 18733]
> [Thread debugging using libthread_db enabled]
> Using host libthread_db library "/lib64/libthread_db.so.1".
> Core was generated by `dovecot/lmtp -L'.
> Program terminated with signal 11, Segmentation fault.
> #0  smtp_server_reply (_cmd=0x0, status=552, enh_code=0x562468e05050
> "5.2.2", fmt=0x562468e05042 "<%s> %s") at smtp-server-reply.c:210
> 210             i_assert(cmd->replies_expected <= 1);
> (gdb) bt full
> #0  smtp_server_reply (_cmd=0x0, status=552, enh_code=0x562468e05050
> "5.2.2", fmt=0x562468e05042 "<%s> %s") at smtp-server-reply.c:210
>         cmd = <error reading variable cmd (Cannot access memory at
> address 0x20)>
>         args = {{gp_offset = 1790721792, fp_offset = 22052,
> overflow_arg_area = 0x56246abc3f14, reg_save_area = 0x56246ab70b58}}
>         __func__ = "smtp_server_reply"
> #1  0x0000562468e034d7 in lmtp_local_deliver (session=0x56246abe2cd8,
> src_mail=0x56246abde0a8, rcpt=0x56246abada50, trans=0x56246abc3df8,
> cmd=0x56246ab81868, local=0x56246ab7cba0) at lmtp-local.c:621
>         set_parser = <optimized out>
>         line = <optimized out>
>         str = 0x56246ab70068
>         proxy_data = {proto = SMTP_PROXY_PROTOCOL_LMTP, source_ip =
> {family = 0, u = {ip6 = {__in6_u = {__u6_addr8 = '\000' <repeats 15
> times>, __u6_addr16 = {0, 0, 0, 0, 0, 0, 0, 0}, __u6_addr32 = {0, 0,
> 0, 0}}}, ip4 = {s_addr = 0}}},
>           source_port = 0, helo = 0x56246abc3c80 "bwo.mrstuudio.ee",
> login = 0x0, ttl_plus_1 = 0, timeout_secs = 0, extra_fields = 0x0,
> extra_fields_count = 0}
>         delivery_time_started = {tv_sec = 1520176597, tv_usec = 704043}
>         sets = <optimized out>
>         rcpt_user = 0x56246abe30e8
>         mail_set = <optimized out>
>         username = <optimized out>
>         rcpt_idx = 0
>         smtp_set = 0x56246abcf448
>         lda_set = 0x56246abcf4b8
>         ns = <optimized out>
>         rcpt_to = 0x56246abc3f00
>         trcpt = 0x56246abc3ec0
>         storage = 0x56246abe8838
>         mail_error = MAIL_ERROR_NOQUOTA
>         ret = <optimized out>
>         client = 0x56246abaf538
>         service_user = <optimized out>
>         dctx = {pool = 0x56246abe2cb0, set = 0x56246abcf4b8, smtp_set
> = 0x56246abcf448, session = 0x56246abe2cd8, session_time_msecs = 24,
> delivery_time_started = {tv_sec = 1520176597, tv_usec = 704043},
> dup_db = 0x0,
>           session_id = 0x56246abadab0 "PAN2KNUNnFotSQAAinc3nQ",
> src_mail = 0x56246abde0a8, mail_from = 0x56246abc3e98, mail_params =
> {auth = 0x0, body = {type = SMTP_PARAM_MAIL_BODY_TYPE_UNSPECIFIED, ext
> = 0x0}, envid = 0x0,
>             ret = SMTP_PARAM_MAIL_RET_UNSPECIFIED, size = 0,
> extra_params = {arr = {buffer = 0x0, element_size = 0}, v = 0x0,
> v_modifiable = 0x0}}, rcpt_to = 0x56246abc3f00, rcpt_params = {orcpt =
> {addr_type = 0x0,
>               addr = 0x56246abc3f00, addr_raw = 0x0}, notify =
> SMTP_PARAM_RCPT_NOTIFY_UNSPECIFIED, extra_params = {arr = {buffer =
> 0x0, element_size = 0}, v = 0x0, v_modifiable = 0x0}}, rcpt_user =
> 0x56246abe30e8,
>           rcpt_default_mailbox = 0x562468e05064 "INBOX", dest_mail =
> 0x0, cache = 0x56246abe2df8, tempfail_error = 0x0, tried_default_save
> = true, saved_mail = false, save_dest_mail = false, mailbox_full =
> false, dsn = false}
>         input = <optimized out>
>         var_table = <optimized out>
>         error = 0x56246abfb3a0 "Kasutaja postkast on täis."
> #2  lmtp_local_deliver_to_rcpts (session=0x56246abe2cd8,
> trans=0x56246abc3df8, cmd=0x56246ab81868, local=0x56246ab7cba0) at
> lmtp-local.c:657
>         rcpt = 0x56246abada50
>         first_uid = 4294967295
>         src_mail = 0x56246abde0a8
>         count = 1
>         i = 0
>         rcpts = <optimized out>
> #3  lmtp_local_data (client=client at entry=0x56246abaf538,
> cmd=cmd at entry=0x56246ab81868, trans=trans at entry=0x56246abc3df8,
> input=<optimized out>) at lmtp-local.c:734
>         local = 0x56246ab7cba0
>         session = 0x56246abe2cd8
>         old_uid = 0
> #4  0x0000562468e02123 in cmd_data_finish (trans=0x56246abc3df8,
> cmd=0x56246ab81868, client=0x56246abaf538) at commands.c:144
>         state = 0x56246abaf5c0
>         input_proxy = 0x0
>         input_msg = 0x0
>         input_local = 0x56246abd5348
>         inputs = {0x0, 0x56246abcd108, 0x0}
> #5  cmd_data_continue (conn_ctx=0x56246abaf538, cmd=0x56246ab81868,
> trans=0x56246abc3df8) at commands.c:190
>         client = 0x56246abaf538
>         state = 0x56246abaf5c0
>         data_input = <optimized out>
>         data = <optimized out>
>         size = 1750
>         ret = <optimized out>
>         __func__ = "cmd_data_continue"
> #6  0x00007fc8abd7a250 in cmd_data_handle_input (cmd=0x56246ab81868)
> at smtp-server-cmd-data.c:199
>         conn = 0x56246abbeae0
>         callbacks = 0x562469006720 <lmtp_callbacks>
>         command = 0x56246ab81868
>         data_cmd = 0x56246abc3148
>         ret = <optimized out>
>         __func__ = "cmd_data_handle_input"
> #7  0x00007fc8abe0cdf5 in io_loop_call_io (io=0x56246abbf020) at
> ioloop.c:614
>         ioloop = 0x56246ab76c30
>         t_id = 2
>         __func__ = "io_loop_call_io"
> #8  0x00007fc8abe0e69f in io_loop_handler_run_internal
> (ioloop=ioloop at entry=0x56246ab76c30) at ioloop-epoll.c:222
>         ctx = 0x56246ab82190
>         events = <optimized out>
>         list = 0x56246abafd60
>         io = <optimized out>
>         tv = {tv_sec = 299, tv_usec = 999415}
>         events_count = <optimized out>
>         msecs = <optimized out>
>         ret = 1
>         i = 0
>         call = <optimized out>
> ---Type <return> to continue, or q <return> to quit---
>         __func__ = "io_loop_handler_run_internal"
> #9  0x00007fc8abe0cef2 in io_loop_handler_run
> (ioloop=ioloop at entry=0x56246ab76c30) at ioloop.c:666
>         __func__ = "io_loop_handler_run"
> #10 0x00007fc8abe0d118 in io_loop_run (ioloop=0x56246ab76c30) at
> ioloop.c:639
>         __func__ = "io_loop_run"
> #11 0x00007fc8abd8ace3 in master_service_run (service=0x56246ab76ac0,
> callback=callback at entry=0x562468e013d0 <client_connected>) at
> master-service.c:767
> No locals.
> #12 0x0000562468e011a6 in main (argc=2, argv=0x56246ab76890) at main.c:159
>         set_roots = {0x7fc8ac095fa0 <smtp_submit_setting_parser_info>,
> 0x7fc8ac5f6ba0 <lda_setting_parser_info>, 0x562469006560
> <lmtp_setting_parser_info>, 0x0}
>         service_flags = <optimized out>
>         storage_service_flags = <optimized out>
>         tmp_base_dir = 0x56246ab6e040 "tp data)"
>         c = <optimized out>
>         error = 0x0
>

More information about the dovecot mailing list