imapd dumps core on APPEND URL with invalid section

Edda letters001 at sendmaid.org
Sat Jul 30 09:18:38 EDT 2016 

Hi,

we get core dumps of imapd on commands like this:

A7 APPEND "INBOX/Junk E-mail" () "29-Jul-2016 07:17:38 +0000" CATENATE 
(URL "/INBOX/;uid=44335/;section=TEXT.MIME" URL 
"/INBOX/;uid=44335/;section=TEXT")
Connection closed by foreign host.

Tested with:
Cyrus 2.4.18 on Solaris 11
Cyrus 2.4.17 on CentOS 7

section=MIME instead of section=TEXT.MIME (which I think is not a valid 
section) works for the message:

A7 APPEND "INBOX/Junk E-mail" () "29-Jul-2016 07:17:38 +0000" CATENATE 
(URL "/INBOX/;uid=44335/;section=MIME" URL 
"/INBOX/;uid=44335/;section=TEXT")
A7 OK [APPENDUID 1469792687 169] Completed

To illustrate the issue we produced core dumps with some nonsense 
sections, example:

A7 APPEND "INBOX/Junk E-mail" () "29-Jul-2016 07:17:38 +0000" CATENATE 
(URL "/INBOX/;uid=44335/;section=CATS_AND_DOGS" URL 
"/INBOX/;uid=44335/;section=TEXT")
Connection closed by foreign host.


This is the stacktrace of the corresponding core file (produced with 
Cyrus 2.4.17):

(gdb) bt full
#0  __bswap_32 (__bsx=<error reading variable: Cannot access memory at 
address 0x7f6211818650>) at /usr/include/bits/byteswap.h:47
No locals.
#1  index_urlfetch (state=<optimized out>, msgno=<optimized out>, 
params=0, section=<optimized out>, start_octet=0, octet_count=0,
     pout=0x7f612b939610, outsize=0x7fff44d3ce80) at index.c:2785
         num_parts = 2
         p = 0x7f612b9292fb "CATS_AND_DOGS"
         data = 0x7f6129f41000 <Address 0x7f6129f41000 out of bounds>
         msg_base = 0x7f6129f41000 <Address 0x7f6129f41000 out of bounds>
         msg_size = 4812
         cacheitem = 0x7f6211818650 <Address 0x7f6211818650 out of bounds>
         fetchmime = 1
         domain = 0
         size = 4812
         skip = 1697477688
         n = <optimized out>
         r = <optimized out>
         decbuf = 0x0
         mailbox = 0x7f612b929878
         im = 0x7f612b92a7b0
[…]
(gdb) where
#0  __bswap_32 (__bsx=<error reading variable: Cannot access memory at 
address 0x7f62a7ebe650>) at /usr/include/bits/byteswap.h:47
#1  index_urlfetch (state=<optimized out>, msgno=<optimized out>, 
params=0, section=<optimized out>, start_octet=0, octet_count=0, 
pout=0x7f61c12d4600, outsize=0x7ffcec9b1fc0)
     at index.c:2785
#2  0x00007f61c06d0277 in cmd_append (tag=<optimized out>, 
name=<optimized out>, cur_name=<optimized out>) at imapd.c:3121
#3  0x00007f61c06d5f2c in cmdloop () at imapd.c:1279
#4  0x00007f61c06d7759 in service_main (argc=<optimized out>, 
argv=<optimized out>, envp=<optimized out>) at imapd.c:946
#5  0x00007f61c06c0875 in main (argc=<optimized out>, argv=<optimized 
out>, envp=0x7ffcec9b7a88) at service.c:582


I don’t know where to fix it best in order to get BADURL or something 
instead of a core dump, so any help would be highly appreciated.

Regards,
Edda

More information about the Info-cyrus mailing list