Strange LMTP crash
Michael Bacon
baconm at email.unc.edu
Tue Jul 14 13:45:08 EDT 2009
Hi, all,
I'm working through a bizarre segfault from lmtpd that occurs following a
rcpt to: command. The best I can describe what's going on is that somehow
the NULL value stored in the authstate pointer is getting changed to
0x1010101 when passed to the verify_user function. Here's a relevant GDB
snippet:
#5 0x00025950 in process_recipient (addr=0x172fbf "", namespace=0x162610,
ignorequota=0, verify_user=0x21310 <verify_user>, msg=0x179c08)
at /opt/local/src/cyrus-imapd-2.3.14/imap/lmtpengine.c:901
901 in /opt/local/src/cyrus-imapd-2.3.14/imap/lmtpengine.c
(gdb) print msg->authstate
$7 = (struct auth_state *) 0x0
(gdb) print *msg
$8 = {data = 0x0, f = 0x0, id = 0x0, size = 0,
return_path = 0x172f58 "<michael at snowplow.org>", rcpt = 0x172188,
rcpt_num = 0, authuser = 0x0, authstate = 0x0, rock = 0x0,
hdrcache = 0x17dda0}
(gdb) down
#4 0x0002163c in verify_user (user=0x16f950 "baconm", domain=0x0,
mailbox=0x0, quotacheck=0, authstate=0x1010101)
at /opt/local/src/cyrus-imapd-2.3.14/imap/lmtpd.c:1037
So process_recipient is calling verify_user with the correct value from
msg->authstate (0x0, although this is odd, since by this point I should be
authenticated, but whatever...). Once the process enters verify_user,
however, gdb shows that value as 0x1010101.
At some point down the line, the code checks to see if there's a value in
the pointer, and because there is, it proceeds to try to dereference
0x1010101 (in strcmp), resulting in the SEGV.
I'm still looking, but has anyone seen anything like this before?
-Michael
Backtrace below:
#0 0xfec31b60 in strcmp () from /lib/libc.so.1
#1 0x000a1a94 in mymemberof (auth_state=0x1010101,
identifier=0x172ff8 "baconm")
at /opt/local/src/cyrus-imapd-2.3.14/lib/auth_unix.c:84
#2 0x000a18d0 in auth_memberof (auth_state=0x1010101,
identifier=0x172ff8 "baconm")
at /opt/local/src/cyrus-imapd-2.3.14/lib/auth.c:94
#3 0x000a1110 in cyrus_acl_myrights (auth_state=0x1010101,
acl=0x172ff8 "baconm")
at /opt/local/src/cyrus-imapd-2.3.14/lib/acl_afs.c:91
#4 0x0002163c in verify_user (user=0x16f950 "baconm", domain=0x0,
mailbox=0x0, quotacheck=0, authstate=0x1010101)
at /opt/local/src/cyrus-imapd-2.3.14/imap/lmtpd.c:1037
#5 0x00025950 in process_recipient (addr=0x172fbf "", namespace=0x162610,
ignorequota=0, verify_user=0x21310 <verify_user>, msg=0x179c08)
at /opt/local/src/cyrus-imapd-2.3.14/imap/lmtpengine.c:901
#6 0x0002801c in lmtpmode (func=0x158024, pin=0x179a38, pout=0x179ab0,
fd=0)
at /opt/local/src/cyrus-imapd-2.3.14/imap/lmtpengine.c:1534
#7 0x0001ec3c in service_main (argc=1, argv=0x16f618, envp=0xffbffcd4)
at /opt/local/src/cyrus-imapd-2.3.14/imap/lmtpd.c:299
#8 0x0001e610 in main (argc=1, argv=0xffbffccc, envp=0xffbffcd4)
at /opt/local/src/cyrus-imapd-2.3.14/master/service.c:540
More information about the Info-cyrus
mailing list