[tpop3d-discuss][PATCH] Segfault in transaction mode

Martin Blapp mb at imp.ch
Thu, 10 Feb 2005 12:23:52 +0100 (CET)


I dunno why curmbox can even be empty in transaction state, but it happens
here here 3-4 times per day (out of 1'500'000 pop3 requests).

Chris, do you know more ? This is the cvs version from 2 days ago. IP-Adresses
and names have been obviewscated.

Program terminated with signal 11, Segmentation fault.
#0  connection_do (c=0x806c280, p=0x8085f60) at pop3.c:669
669                     for (i = curmbox->index; i < curmbox->index + curmbox->num; ++i) i->deleted = 0;
(gdb) bt
#0  connection_do (c=0x806c280, p=0x8085f60) at pop3.c:669
#1  0x08059c5e in connections_post_select (readfds=0xbfbfeb90, writefds=0xbfbfeb10, exceptfds=0x0) at netloop.c:417
#2  0x0805a13c in net_loop () at netloop.c:568
#3  0x080581b1 in main (argc=1, argv=0xbfbfece4, envp=0xbfbfecec) at main.c:563

(gdb) frame 0
#0  connection_do (c=0x806c280, p=0x8085f60) at pop3.c:669
669                     for (i = curmbox->index; i < curmbox->index + curmbox->num; ++i) i->deleted = 0;
(gdb) list
664                     snprintf(response, 31, "%d %d", curmbox->num - curmbox->numdeleted, curmbox->totalsize - curmbox->sizedeleted);
665                     connection_sendresponse(c, 1, response);
666                     break;
667
668                 case RSET:
669                     for (i = curmbox->index; i < curmbox->index + curmbox->num; ++i) i->deleted = 0;
670                     curmbox->numdeleted = 0;
671                     curmbox->sizedeleted = 0;
672                     connection_sendresponse(c, 1, _("Done."));
673                     break

(gdb) p curmbox
$1 = 0x0
(gdb) p *curmbox
Cannot access memory at address 0x0

(gdb) p *c
$3 = {s = 15, sin = {sin_len = 16 '\020', sin_family = 2 '\002', sin_port =
35080, sin_addr = {s_addr = 4133644281},
    sin_zero = "\000\000\000\000\000\000\000"}, remote_ip = 0x80badd0
"157.161.52.246", sin_local = {sin_len = 16 '\020', sin_family = 2 '\002',
    sin_port = 28160, sin_addr = {s_addr = 1124704669}, sin_zero =
"\000\000\000\000\000\000\000"}, local_ip = 0x80bbec0 "157.161.X.XX",
  idstr = 0x806e540 "[15]somuser(157.161.XX.XXX)", nrd = 33, nwr = 158, domain
=
0x80bbff0 "domain.ch",
  timestamp = 0x806e6c0 "<8441b3a12278e0a281e13c24995b964d@domain.ch>", rdb =
0x8067540, wrb = 0x80675c0, secured = 0, io = 0x80673a0, cstate = running,
  state = transaction, idlesince = 1108019437, frozenuntil = 0, do_shutdown = 1,
n_auth_tries = 0, n_errors = 0, user = 0x80b8f10 "somuser",
  pass = 0x80b8f60 "", a = 0x806e580, m = 0x0, l = 0x806e100}

(gdb) p *c->a
$9 = {uid = 27, gid = 6, mboxdrv = 0x80b8fa0 "bsd", mailbox = 0x806e640
"/var/popspool/somuser", auth = 0x80bd340 "mysql",
  user = 0x80bd510 "somuser", home = 0x80b8fd0 "/var/popspool", local_part =
0x80bd550 "calvaro", domain = 0x80bd580 "domain.ch"}

(gdb) p *c->l
$10 = {sin = {sin_len = 0 '\0', sin_family = 2 '\002', sin_port = 28160,
sin_addr = {s_addr = 1224705669}, sin_zero = "\000\000\000\000\000\000\000"},
  domain = 0x8069360 "domain.ch", have_re = 0, re = {re_magic = 0, re_nsub =
0, re_endp = 0x0, re_g = 0x0}, regex = 0x0, s = 6}

do_shutdown is set to 1, does it mean that the user has already sent a quit
command followed by list maybe ?

Anyway, this seems to fix or workaround the issue:

--- pop3.c      Thu Feb 10 10:18:34 2005
+++ pop3.c      Thu Feb 10 10:17:48 2005
@@ -567,6 +567,13 @@
         char response[32] = {0};

         curmbox = c->m; /* this connection's mailbox */
+
+       if (curmbox == NULL) {
+               connection_sendresponse(c, 0, _("empty mailbox in transaction state, please try again"));
+               log_print(LOG_ERR, _("connection_do: empty mailbox in transaction state"));
+                return close_connection;
+       }
+
         num_args = p->toks->num - 1;

         /* No command has more than two arguments. */

Martin Blapp, <mb@imp.ch> <mbr@FreeBSD.org>
------------------------------------------------------------------
ImproWare AG, UNIXSP & ISP, Zurlindenstrasse 29, 4133 Pratteln, CH
Phone: +41 61 826 93 00 Fax: +41 61 826 93 01
PGP: <finger -l mbr@freebsd.org>
PGP Fingerprint: B434 53FC C87C FE7B 0A18 B84C 8686 EF22 D300 551E
------------------------------------------------------------------