NULL pointer bug in 2.3.13rc3 when deleting top-level mailboxes
Stephen Grier
s.e.grier at qmul.ac.uk
Tue Oct 14 13:09:49 EDT 2008
Hi,
While testing cyrus-imapd-2.3.13rc3, I noticed log entries like the
following when deleting a top-level mailbox:
Oct 14 17:39:21 machine master[24378]: process 24391 exited, signaled to
death by 11
The mailbox had been removed from the filesystem, but the imapd process
appears to have segfaulted. Trussing the imapd showed:
stat("/var/imap/mailboxes.db", 0xFFBFB5B0) = 0
fcntl(6, F_SETLKW, 0xFFBFB628) = 0
rmdir("/var/spool/imap/v/wobble") = 0
Incurred fault #6, FLTBOUNDS %pc = 0x00047850
siginfo: SIGSEGV SEGV_MAPERR addr=0x00000000
Received signal #11, SIGSEGV [default]
siginfo: SIGSEGV SEGV_MAPERR addr=0x00000000
Looking at the code there is a clear NULL pointer bug in the
mailbox_delete function in imap/mailbox.c. The patch is:
$ diff -u imap/mailbox.c.orig imap/mailbox.c
--- imap/mailbox.c.orig Wed Oct 8 16:47:08 2008
+++ imap/mailbox.c Tue Oct 14 17:49:05 2008
@@ -2919,7 +2919,9 @@
r = mboxlist_lookup(nbuf, NULL, NULL);
} while(r == IMAP_MAILBOX_NONEXISTENT);
- *ntail = '\0';
+ if (ntail != NULL) {
+ *ntail = '\0';
+ }
if (updatenotifier) updatenotifier(nbuf);
--
Stephen Grier
Systems Developer
Computing Services
Queen Mary, University of London
More information about the Info-cyrus
mailing list