Strange LMTP crash

Ben Carter bhc at pitt.edu
Tue Jul 14 13:51:17 EDT 2009 

Michael Bacon wrote:
> Hi, all,
> 
> I'm working through a bizarre segfault from lmtpd that occurs following a 
> rcpt to: command.  The best I can describe what's going on is that somehow 
> the NULL value stored in the authstate pointer is getting changed to 
> 0x1010101 when passed to the verify_user function.  Here's a relevant GDB 
> snippet:
> 
> #5  0x00025950 in process_recipient (addr=0x172fbf "", namespace=0x162610,
>     ignorequota=0, verify_user=0x21310 <verify_user>, msg=0x179c08)
>     at /opt/local/src/cyrus-imapd-2.3.14/imap/lmtpengine.c:901
> 901     in /opt/local/src/cyrus-imapd-2.3.14/imap/lmtpengine.c
> (gdb) print msg->authstate
> $7 = (struct auth_state *) 0x0
> (gdb) print *msg
> $8 = {data = 0x0, f = 0x0, id = 0x0, size = 0,
>   return_path = 0x172f58 "<michael at snowplow.org>", rcpt = 0x172188,
>   rcpt_num = 0, authuser = 0x0, authstate = 0x0, rock = 0x0,
>   hdrcache = 0x17dda0}
> (gdb) down
> #4  0x0002163c in verify_user (user=0x16f950 "baconm", domain=0x0,
>     mailbox=0x0, quotacheck=0, authstate=0x1010101)
>     at /opt/local/src/cyrus-imapd-2.3.14/imap/lmtpd.c:1037
> 
> 
> So process_recipient is calling verify_user with the correct value from 
> msg->authstate (0x0, although this is odd, since by this point I should be 
> authenticated, but whatever...).  Once the process enters verify_user, 
> however, gdb shows that value as 0x1010101.
> 
> At some point down the line, the code checks to see if there's a value in 
> the pointer, and because there is, it proceeds to try to dereference 
> 0x1010101 (in strcmp), resulting in the SEGV.
> 
> I'm still looking, but has anyone seen anything like this before?
> 
> -Michael
> 
> Backtrace below:
> 
> 
> 
> #0  0xfec31b60 in strcmp () from /lib/libc.so.1
> #1  0x000a1a94 in mymemberof (auth_state=0x1010101,
>     identifier=0x172ff8 "baconm")
>     at /opt/local/src/cyrus-imapd-2.3.14/lib/auth_unix.c:84
> #2  0x000a18d0 in auth_memberof (auth_state=0x1010101,
>     identifier=0x172ff8 "baconm")
>     at /opt/local/src/cyrus-imapd-2.3.14/lib/auth.c:94
> #3  0x000a1110 in cyrus_acl_myrights (auth_state=0x1010101,
>     acl=0x172ff8 "baconm")
>     at /opt/local/src/cyrus-imapd-2.3.14/lib/acl_afs.c:91
> #4  0x0002163c in verify_user (user=0x16f950 "baconm", domain=0x0,
>     mailbox=0x0, quotacheck=0, authstate=0x1010101)
>     at /opt/local/src/cyrus-imapd-2.3.14/imap/lmtpd.c:1037
> #5  0x00025950 in process_recipient (addr=0x172fbf "", namespace=0x162610,
>     ignorequota=0, verify_user=0x21310 <verify_user>, msg=0x179c08)
>     at /opt/local/src/cyrus-imapd-2.3.14/imap/lmtpengine.c:901
> #6  0x0002801c in lmtpmode (func=0x158024, pin=0x179a38, pout=0x179ab0, 
> fd=0)
>     at /opt/local/src/cyrus-imapd-2.3.14/imap/lmtpengine.c:1534
> #7  0x0001ec3c in service_main (argc=1, argv=0x16f618, envp=0xffbffcd4)
>     at /opt/local/src/cyrus-imapd-2.3.14/imap/lmtpd.c:299
> #8  0x0001e610 in main (argc=1, argv=0xffbffccc, envp=0xffbffcd4)
>     at /opt/local/src/cyrus-imapd-2.3.14/master/service.c:540
> 
> ----
> Cyrus Home Page: http://cyrusimap.web.cmu.edu/
> Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
> List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

I already found this.  The quota that is passed to verify_user() by 
process_recipient() has to be a quota_t, not an int.  A patch was 
already submitted.

Ben

-- 
Ben Carter
University of Pittsburgh/CSSD
bhc at pitt.edu
412-624-6470

More information about the Info-cyrus mailing list