[PATCH] imapd segfaults after broken pipe
Gerd v. Egidy
lists at egidy.de
Sat Jan 4 17:53:30 EST 2003
Hi,
since some popular client (we know which one ;) sometimes just kicks a
connection instead of gracefully closing it we have a decent number of broken
pipe signals sent to our imapds.
since our upgrade from 2.0 to 2.1.11 this was often followed by a segfault of
the process who just got the broken pipe.
since I don't like to run programs which segfault I did a little debugging:
If the broken pipe is encountered during write (prot_flush) the process
doesn't immediately close the connection but finishes the current command;
s->cnt stays 0 and s->ptr isn't set to the buffer start.
If prot_putc is called later on (during finishing the current command output),
it decreases s->cnt to -1 and writes after the malloced buffer. The #defined
version of prot_putc isn't guarded by an assertion to defend this (it took me
a decent debugging session to find out about the #defined version...).
If there are enough calls to prot_putc you'll get a nice segfault.
The attached patch fixes this.
While I was at it I took a look at the other prot_ functions. I think at least
prot_ungetc should be guarded against buffer overflows too.
Kind regards,
Gerd
-------------- next part --------------
A non-text attachment was scrubbed...
Name: cyrus-imapd-2.1.11-errsafe.patch
Type: text/x-diff
Size: 1026 bytes
Desc: not available
Url : https://lists.andrew.cmu.edu/mailman/private/info-cyrus/attachments/20030104/c24c5b2b/cyrus-imapd-2.1.11-errsafe.bin
More information about the Info-cyrus
mailing list