imapd crashes with SIGSEGV in mboxlist.c:221
Bron Gondwana
brong at fastmail.fm
Sat Aug 20 12:56:26 EDT 2011
On Mon, Aug 08, 2011 at 05:52:54AM +0200, Dmitry Katsubo wrote:
So... if you're going to insist on sticking with 2.2.x:
> Index: cyrus-imapd-2.2-2.2.13p1/imap/mboxlist.c
> ===================================================================
> --- cyrus-imapd-2.2-2.2.13p1.orig/imap/mboxlist.c 2011-08-08 02:34:25.330006463 +0200
> +++ cyrus-imapd-2.2-2.2.13p1/imap/mboxlist.c 2011-08-08 02:34:43.282002740 +0200
> @@ -183,7 +183,7 @@
>
> if (*p == ' ') p++;
> q = partition;
> - while (*p != ' ') { /* copy out partition name */
> + while (*p != ' ' && *p != '\t') { /* copy out partition name */
> *q++ = *p++;
> }
> *q = '\0';
So... the real problem here is that you're reading a fixed length
buffer and only looking for expected values rather than looking out
for the end.
This works because there's always an ACL full of tabs on the end.
Usually. Unless it's really corrupted, in which case you are
pretty screwed.
But then - if your mailboxes.db contents are corrupted then your
life can get miserable in all sorts of ways.
I think this is probably a saner way to patch:
while (p < (data + datalen) && *p != ' ') { /* copy out partition name */
But there are so many things wrong with that block of code, which
is why it's been rewritten at least 3 times already since then,
and is about to come back for a 4th attempt.
Bron ( the 4th time being a complete format change... )
More information about the Cyrus-devel
mailing list