Dovecot 2.3.9 - lmtp crashes with Signal 11
Michael Stilkerich
ms at mike2k.de
Fri Dec 13 13:21:51 EET 2019
Sure, addr is NULL:
(gdb) p *addr
Cannot access memory at address 0x0
Michael
> On 13. Dec 2019, at 12:16, Aki Tuomi <aki.tuomi at open-xchange.com> wrote:
>
> Can you provide p *addr?
>
> Aki
>
> On 13.12.2019 13.15, Michael Stilkerich wrote:
>> HI,
>>
>> and the backtrace (essentially same as before except for the line numbers moved by the code changes):
>>
>> Core was generated by `dovecot/lmtp'. [50/749]
>> Program terminated with signal SIGSEGV, Segmentation fault.
>> #0 decode_address_header (pool=pool at entry=0x5569a8e10550, hdr=0x5569a8e15cd8 "", address_r=address_r at entry=0x5569a8e108d0,
>> name_r=name_r at entry=0x5569a8e108d8) at push-notification-event-message-common.c:22
>> 22 push-notification-event-message-common.c: No such file or directory.
>> (gdb) bt
>> #0 decode_address_header (pool=pool at entry=0x5569a8e10550, hdr=0x5569a8e15cd8 "", address_r=address_r at entry=0x5569a8e108d0,
>> name_r=name_r at entry=0x5569a8e108d8) at push-notification-event-message-common.c:22
>> #1 0x00007fece33adfdb in decode_address_header (name_r=0x5569a8e108d8, address_r=0x5569a8e108d0, hdr=<optimized out>, pool=0x5569a8e10550)
>> at push-notification-event-message-common.c:67
>> #2 push_notification_message_fill (mail=mail at entry=0x5569a8e14898, pool=0x5569a8e10550,
>> event_flags=(PUSH_NOTIFICATION_MESSAGE_HDR_FROM | PUSH_NOTIFICATION_MESSAGE_HDR_TO | PUSH_NOTIFICATION_MESSAGE_HDR_SUBJECT | PUSH_NOTIFICATION_MESSAGE_HDR
>> _DATE | PUSH_NOTIFICATION_MESSAGE_BODY_SNIPPET), from=<optimized out>, to=<optimized out>, subject=<optimized out>, date=0x5569a8e10890,
>> date_tz=0x5569a8e10898, message_id=0x5569a8e108b8, flags=0x5569a8e108ac, flags_set=0x5569a8e108a8, keywords=0x5569a8e108b0, snippet=0x5569a8e108a0,
>> ext=0x5569a8e108c0) at push-notification-event-message-common.c:67
>> #3 0x00007fece33ada41 in push_notification_event_messagenew_event (ptxn=0x5569a8e10578, ec=0x5569a8e10820, msg=0x5569a8e10850, mail=0x5569a8e14898)
>> at push-notification-event-messagenew.c:83
>> #4 0x00007fece33af1dd in push_notification_trigger_msg_save_new (txn=0x5569a8e10578, mail=0x5569a8e14898, msg=0x5569a8e10850)
>> at push-notification-triggers.c:138
>> #5 0x00007fece3e4d2f3 in notify_contexts_mail_save (mail=0x5569a8e14898) at notify-plugin.c:62
>> #6 0x00007fece3e4e5b8 in notify_copy (ctx=0x5569a8e110f0, mail=0x5569a8dd1b18) at notify-storage.c:104
>> #7 0x00007fece406073d in quota_copy (ctx=0x5569a8e110f0, mail=0x5569a8dd1b18) at quota-storage.c:302
>> #8 0x00007fece59e9e32 in mailbox_copy_int (_ctx=<optimized out>, mail=0x5569a8dd1b18) at mail-storage.c:2759
>> #9 0x00007fece1e7107f in ?? () from /usr/lib/dovecot/libdovecot-sieve.so.0
>> #10 0x00007fece1e6664c in ?? () from /usr/lib/dovecot/libdovecot-sieve.so.0
>> #11 0x00007fece1e6711b in sieve_result_implicit_keep () from /usr/lib/dovecot/libdovecot-sieve.so.0
>> #12 0x00007fece1e7a6e1 in sieve_multiscript_finish () from /usr/lib/dovecot/libdovecot-sieve.so.0
>> #13 0x00007fece20e6488 in ?? () from /usr/lib/dovecot/modules/lib90_sieve_plugin.so
>> #14 0x00007fece5cfa60d in mail_do_deliver (storage_r=0x7ffc0dcb6d00, ctx=0x7ffc0dcb6df0) at mail-deliver.c:542
>> #15 mail_deliver (ctx=ctx at entry=0x7ffc0dcb6df0, storage_r=storage_r at entry=0x7ffc0dcb6d00) at mail-deliver.c:592
>> #16 0x00005569a7b930e1 in lmtp_local_default_deliver (client=0x5569a8d97898, lrcpt=<optimized out>, cmd=<optimized out>, trans=<optimized out>,
>> lldctx=0x7ffc0dcb7030) at lmtp-local.c:593
>> #17 0x00005569a7b938cf in lmtp_local_deliver (local=0x5569a8dbd9b0, local=0x5569a8dbd9b0, session=0x5569a8dd6748, src_mail=0x5569a8dd1b18,
>> llrcpt=0x5569a8db8600, trans=0x5569a8db8ab8, cmd=0x5569a8db8088) at lmtp-local.c:530
>> #18 lmtp_local_deliver_to_rcpts (session=0x5569a8dd6748, trans=0x5569a8db8ab8, cmd=0x5569a8db8088, local=0x5569a8dbd9b0) at lmtp-local.c:654
>> #19 lmtp_local_data (client=client at entry=0x5569a8d97898, cmd=cmd at entry=0x5569a8db8088, trans=trans at entry=0x5569a8db8ab8, input=<optimized out>)
>> at lmtp-local.c:730
>> #20 0x00005569a7b920cf in client_default_cmd_data (client=0x5569a8d97898, cmd=0x5569a8db8088, trans=0x5569a8db8ab8, data_input=0x5569a8dbcc00,
>> data_size=<optimized out>) at lmtp-commands.c:275
>> #21 0x00005569a7b91e6f in cmd_data_finish (trans=0x5569a8db8ab8, cmd=0x5569a8db8088, client=0x5569a8d97898) at lmtp-commands.c:165
>> #22 cmd_data_continue (conn_ctx=0x5569a8d97898, cmd=0x5569a8db8088, trans=0x5569a8db8ab8) at lmtp-commands.c:213
>> #23 0x00007fece56522c7 in cmd_data_do_handle_input (cmd=0x5569a8db8088) at smtp-server-cmd-data.c:285
>> #24 cmd_data_handle_input (cmd=0x5569a8db8088) at smtp-server-cmd-data.c:333
>> #25 0x00007fece56fc2af in io_loop_call_io (io=0x5569a8db68e0) at ioloop.c:718
>> #26 0x00007fece56fdc8c in io_loop_handler_run_internal (ioloop=ioloop at entry=0x5569a8d5cfd0) at ioloop-epoll.c:222
>> #27 0x00007fece56fc3c0 in io_loop_handler_run (ioloop=<optimized out>) at ioloop.c:770
>> #28 0x00007fece56fc5e8 in io_loop_run (ioloop=0x5569a8d5cfd0) at ioloop.c:743
>> #29 0x00007fece566a4b3 in master_service_run (service=0x5569a8d5ce60, callback=<optimized out>) at master-service.c:809
>> #30 0x00005569a7b90b45 in main (argc=<optimized out>, argv=<optimized out>) at main.c:169
>>
>> Michael
>>
>>
>>> On 13. Dec 2019, at 12:10, Michael Stilkerich <ms at mike2k.de> wrote:
>>>
>>> Hi Aki,
>>>
>>> first thanks for the quick fix.
>>>
>>> Unfortunately, it only resolves the issue partially. For the “To: undisclosed-recipients:;”, it works now. For “To: “ it still crashes (i. e. what I did with my manual lmtp dialog).
>>>
>>> Michael
>>>
>>>> On 13. Dec 2019, at 11:54, Aki Tuomi <aki.tuomi at open-xchange.com> wrote:
>>>>
>>>> Hi!
>>>>
>>>> We have released v2.3.9.1 fixing this issue.
>>>>
>>>> Thank you for your effort!
>>>>
>>>> Aki
>>>>
>>>> On 13.12.2019 12.27, Michael Stilkerich wrote:
>>>>> Hallo Aki,
>>>>>
>>>>> the affected code location seems to be concerned with parsing to ’To:’ header. I checked all the mails causing the crash, the To: header is either empty (but present) or contains “undisclosed-recipients:;”.
>>>>>
>>>>> I checked this manually and sure enough lmtp crashes:
>>>>>
>>>>> nc -C -U dovecot-lmtp
>>>>> 220 keira.mike2k.de Dovecot ready.
>>>>> LHLO keira.mike2k.de
>>>>> 250-keira.mike2k.de
>>>>> 250-8BITMIME
>>>>> 250-CHUNKING
>>>>> 250-ENHANCEDSTATUSCODES
>>>>> 250-PIPELINING
>>>>> 250 STARTTLS
>>>>> MAIL FROM:<ms at mike2k.de>
>>>>> 250 2.1.0 OK
>>>>> RCPT TO:<mikey at localhost.mike2k.de>
>>>>> 250 2.1.5 OK
>>>>> DATA
>>>>> 354 OK
>>>>> To:
>>>>>
>>>>> bla
>>>>>
>>>>> .
>>>>>
>>>>>
>>>>> (and thats it, connection closed because of the segfault).
>>>>>
>>>>> Michael
>>>>>
>>>>>> On 11. Dec 2019, at 08:07, Aki Tuomi <aki.tuomi at open-xchange.com> wrote:
>>>>>>
>>>>>> Hi!
>>>>>>
>>>>>> Can you provide a mail sample and doveconf -n please?
>>>>>>
>>>>>> Aki
>>>>>>
>>>>>>> On 11/12/2019 08:57 Michael Stilkerich via dovecot <dovecot at dovecot.org> wrote:
>>>>>>>
>>>>>>>
>>>>>>> Hello,
>>>>>>>
>>>>>>> since the upgrade from 2.3.8 to 2.3.9 (using the Ubuntu 18.04 packages from dovecot.org), lmtp crashes for me for some mails. Currently I have three pending mails in my postfix deferred queue since the upgrade a couple of days ago. I did not observe these issues with 2.3.8.
>>>>>>>
>>>>>>> The backtrace from one of the coredumps:
>>>>>>>
>>>>>>> Reading symbols from /usr/lib/dovecot/lmtp...Reading symbols from /usr/lib/debug/.build-id/f3/3a5089463b1234cbcf90bf10033d1dd5613821.debug...done.
>>>>>>> done.
>>>>>>> [New LWP 1554]
>>>>>>> [Thread debugging using libthread_db enabled]
>>>>>>> Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
>>>>>>> Core was generated by `dovecot/lmtp'.
>>>>>>> Program terminated with signal SIGSEGV, Segmentation fault.
>>>>>>> #0 decode_address_header (pool=pool at entry=0x560631ad6d10, hdr=0x560631add4c8 "", address_r=address_r at entry=0x560631ad7090, name_r=name_r at entry=0x560631ad7098)
>>>>>>> at push-notification-event-message-common.c:20
>>>>>>> 20 push-notification-event-message-common.c: No such file or directory.
>>>>>>> (gdb) bt
>>>>>>> #0 decode_address_header (pool=pool at entry=0x560631ad6d10, hdr=0x560631add4c8 "", address_r=address_r at entry=0x560631ad7090, name_r=name_r at entry=0x560631ad7098)
>>>>>>> at push-notification-event-message-common.c:20
>>>>>>> #1 0x00007f3f37955fbb in decode_address_header (name_r=0x560631ad7098, address_r=0x560631ad7090, hdr=<optimized out>, pool=0x560631ad6d10) at push-notification-event-message-common.c:62
>>>>>>> #2 push_notification_message_fill (mail=mail at entry=0x560631adc088, pool=0x560631ad6d10,
>>>>>>> event_flags=(PUSH_NOTIFICATION_MESSAGE_HDR_FROM | PUSH_NOTIFICATION_MESSAGE_HDR_TO | PUSH_NOTIFICATION_MESSAGE_HDR_SUBJECT | PUSH_NOTIFICATION_MESSAGE_HDR_DATE | PUSH_NOTIFICATION_MESSAGE_BODY_SNIPPE$), from=<optimized out>, to=<optimized out>, subject=<optimized out>, date=0x560631ad7050, date_tz=0x560631ad7058, message_id=0x560631ad7078, flags=0x560631ad706c, flags_set=0x560631ad7068,
>>>>>>> keywords=0x560631ad7070, snippet=0x560631ad7060, ext=0x560631ad7080) at push-notification-event-message-common.c:62
>>>>>>> #3 0x00007f3f37955a41 in push_notification_event_messagenew_event (ptxn=0x560631ad6d38, ec=0x560631ad6fe0, msg=0x560631ad7010, mail=0x560631adc088) at push-notification-event-messagenew.c:83
>>>>>>> #4 0x00007f3f379571bd in push_notification_trigger_msg_save_new (txn=0x560631ad6d38, mail=0x560631adc088, msg=0x560631ad7010) at push-notification-triggers.c:138
>>>>>>> #5 0x00007f3f383f52f3 in notify_contexts_mail_save (mail=0x560631adc088) at notify-plugin.c:62
>>>>>>> #6 0x00007f3f383f65b8 in notify_copy (ctx=0x560631ad7890, mail=0x560631a98b18) at notify-storage.c:104
>>>>>>> #7 0x00007f3f3860873d in quota_copy (ctx=0x560631ad7890, mail=0x560631a98b18) at quota-storage.c:302
>>>>>>> #8 0x00007f3f39f91e32 in mailbox_copy_int (_ctx=<optimized out>, mail=0x560631a98b18) at mail-storage.c:2759
>>>>>>> #9 0x00007f3f3641907f in ?? () from /usr/lib/dovecot/libdovecot-sieve.so.0
>>>>>>> #10 0x00007f3f3640e64c in ?? () from /usr/lib/dovecot/libdovecot-sieve.so.0
>>>>>>> #11 0x00007f3f3640f11b in sieve_result_implicit_keep () from /usr/lib/dovecot/libdovecot-sieve.so.0
>>>>>>> #12 0x00007f3f364226e1 in sieve_multiscript_finish () from /usr/lib/dovecot/libdovecot-sieve.so.0
>>>>>>> #13 0x00007f3f3668e488 in ?? () from /usr/lib/dovecot/modules/lib90_sieve_plugin.so
>>>>>>> #14 0x00007f3f3a2a260d in mail_do_deliver (storage_r=0x7ffedf944b40, ctx=0x7ffedf944c30) at mail-deliver.c:542
>>>>>>> #15 mail_deliver (ctx=ctx at entry=0x7ffedf944c30, storage_r=storage_r at entry=0x7ffedf944b40) at mail-deliver.c:592
>>>>>>> #16 0x000056063169c0e1 in lmtp_local_default_deliver (client=0x560631a5e898, lrcpt=<optimized out>, cmd=<optimized out>, trans=<optimized out>, lldctx=0x7ffedf944e70) at lmtp-local.c:593
>>>>>>> #17 0x000056063169c8cf in lmtp_local_deliver (local=0x560631a849b0, local=0x560631a849b0, session=0x560631a9d748, src_mail=0x560631a98b18, llrcpt=0x560631a7f600, trans=0x560631a7fab8, cmd=0x560631a7f088)
>>>>>>> at lmtp-local.c:530
>>>>>>> #18 lmtp_local_deliver_to_rcpts (session=0x560631a9d748, trans=0x560631a7fab8, cmd=0x560631a7f088, local=0x560631a849b0) at lmtp-local.c:654
>>>>>>> #19 lmtp_local_data (client=client at entry=0x560631a5e898, cmd=cmd at entry=0x560631a7f088, trans=trans at entry=0x560631a7fab8, input=<optimized out>) at lmtp-local.c:730
>>>>>>> #20 0x000056063169b0cf in client_default_cmd_data (client=0x560631a5e898, cmd=0x560631a7f088, trans=0x560631a7fab8, data_input=0x560631a83c00, data_size=<optimized out>) at lmtp-commands.c:275
>>>>>>> #21 0x000056063169ae6f in cmd_data_finish (trans=0x560631a7fab8, cmd=0x560631a7f088, client=0x560631a5e898) at lmtp-commands.c:165
>>>>>>> #22 cmd_data_continue (conn_ctx=0x560631a5e898, cmd=0x560631a7f088, trans=0x560631a7fab8) at lmtp-commands.c:213
>>>>>>> #23 0x00007f3f39bfa2c7 in cmd_data_do_handle_input (cmd=0x560631a7f088) at smtp-server-cmd-data.c:285
>>>>>>> #24 cmd_data_handle_input (cmd=0x560631a7f088) at smtp-server-cmd-data.c:333
>>>>>>> #25 0x00007f3f39ca42af in io_loop_call_io (io=0x560631a7d8e0) at ioloop.c:718
>>>>>>> #26 0x00007f3f39ca5c8c in io_loop_handler_run_internal (ioloop=ioloop at entry=0x560631a23fd0) at ioloop-epoll.c:222
>>>>>>> #27 0x00007f3f39ca43c0 in io_loop_handler_run (ioloop=<optimized out>) at ioloop.c:770
>>>>>>> #28 0x00007f3f39ca45e8 in io_loop_run (ioloop=0x560631a23fd0) at ioloop.c:743
>>>>>>> #29 0x00007f3f39c124b3 in master_service_run (service=0x560631a23e60, callback=<optimized out>) at master-service.c:809
>>>>>>> #30 0x0000560631699b45 in main (argc=<optimized out>, argv=<optimized out>) at main.c:169
>>>>>>>
>>>>>>> I can provide one of the mails causing the crash if helpful (they are all spam).
>>>>>>>
>>>>>>> Best regards,
>>>>>>> Michael
More information about the dovecot
mailing list