Hi

here is the problem which our developer discovered in imapd in last version of courier (courier-0.45.2 on FreeBSD 4.9-RELEASE-p4) but sent it in wrong list ;-)

This is a forwarded message From: Ondrej Jombik <nep...@pobox.sk> To: cour...@lists.sourceforge.net <cour...@lists.sourceforge.net> Date: Wednesday, March 24, 2004, 4:11:42 PM Subject: fetchitem() patch

===8<==============Original message text=============== [ Please CC me in the answer as I'm not in the list ]

We discovered several SIGSEGVs while running Courier IMAP daemon. Full backtrace concernin to this issue is in the attachement.

I discovered, that problem is in this part of code in fetch.c:

if (do_open && *fp == NULL) { *fp=open_cached_fp(msgnum); if (!*fp) { *open_err=1; return rc; } }

if (parsemime && !*mimep) { *mimep=fetch_alloc_rfc2045(msgnum, *fp); }

You can see, that if open_cached_fp() returns NULL, *open_err is properly set, however *fp (with value of NULL) is passed into fetch_alloc_rfc2045() where fseek(fp, 0L, SEEK_SET) is called causing immediate SIGSEGV (at least on FreeBSD operating system).

Patch in the attachement tries to solve this.

Any reply would be appreciated.

Thanks,

Nepto

[ Please CC me in the answer as I'm not in the list ]

-- _/| Ondrej Jombik - nep...@php.net - http://nepto.sk - ICQ #122428216 <_ \ Platon SDG - open source software development - http://platon.sk `\| Ako sa do hory vola, tak sa zhori traktor! (c) 1999 Rattkin/MFF '` ===8<===========End of original message text===========

-- S pozdravom,

Jan Stanik

Jan Stanik bjst...@in.nextra.sk Nextra s.r.o.

--- fetch.c.ori 2004-03-24 15:56:31.000000000 +0100 +++ fetch.c 2004-03-24 15:56:25.000000000 +0100 @@ -403,8 +403,10 @@ if (do_open && *fp == NULL) { *fp=open_cached_fp(msgnum); - if (!*fp) + if (!*fp) { *open_err=1; + return rc; + } }

if (parsemime && !*mimep)

(gdb) bt full #0 0x4811ef75 in fseeko () from /usr/lib/libc.so.4 No symbol table info available. #1 0x4811ef27 in fseek () from /usr/lib/libc.so.4 No symbol table info available. #2 0x804cb15 in fetch_alloc_rfc2045 (msgnum=4, fp=0x0) at fetch.c:1501 No locals. #3 0x804a451 in fetchitem (fp=0xbfbfb0e8, open_err=0xbfbfb0dc, fi=0x80af020, i=0x80ae7ec, msgnum=4, mimep=0xbfbfb0e4) at fetch.c:412 fetchfunc = (void (*)(struct __sFILE *, struct fetchinfo *, struct imapscaninfo *, long unsigned int, struct rfc2045 *)) 0x804a4f0 <envelope> parsemime = 1 rc = 0 do_open = 1 #4 0x8049f92 in do_fetch (n=5, byuid=0, p=0x80af020) at fetch.c:273 fi = (struct fetchinfo *) 0x80af020 fp = (struct __sFILE *) 0x0 rfc2045p = (struct rfc2045 *) 0x0 seen = 0 open_err = 1 #5 0x804f1b2 in do_msgset (msgset=0x80b0081 "", msgfunc=0x8049e78 <do_fetch>, msgfunc_arg=0x80af020, isuid=0) at imapd.c:1001 i = 5 j = 5 rc = 134638200 last = 6 #6 0x80581e4 in do_imap_command (tag=0xbfbfb398 "0000000e") at imapd.c:5407 fi = (struct fetchinfo *) 0x80af020 msgset = 0x80b0080 "5" curtoken = (struct imaptoken *) 0x80adba0 uid = 0 #7 0x8065b62 in mainloop () at mainloop.c:93 rc = 0 tag = "0000000e", '\000' <repeats 11876 times>, "Rb\nH\bC\013H\001\000\000\000\003", '\000' <repeats 11 times>, "\200G\013HPâ¿¿\226g\nHÄ", '\000' <repeats 11 times>, "\204g\nH\bC\013H", '\000' <repeats 20 times>, "\214â¿¿\000\201\013H\bC\013H\003\000\000\000mg\nH\000\201\013H\000\000\000\000Ä\000\000\000Lg\nH\bC\013H\000\000\000\000\000\000\000\000úÕ\nH\bC\013H\001\000\000\000¼â¿¿¯a\nHÄ\000\000\000,ó¿¿,ó¿¿\234a\nH\bC\013H\000
\001\000\003\000\000\000\022\020\000\000^?^?^?^?\000\000\000\000,ó¿¿ð_\nH`ã"... curtoken = (struct imaptoken *) 0x80adba0 noerril = 0 #8 0x805a205 in main (argc=2, argv=0xbfbff48c) at imapd.c:6334 ip = 0xbfbffcc2 "195.168.1.5" p = 0xbfbffe2a "IMAP" tag = 0xbfbffe3c "00000000" oldumask = 49087