1. Forum
  2. USENET
  3. comp.mail.pine

  • uw-imapd crashes in ptext < pbodypartstring < fetch_body_part_contents

    From Thorsten Glaser@tg@mirbsd.de to comp.mail.pine on Thu Jul 3 23:34:06 2025
    From Newsgroup: comp.mail.pine

    Hi,

    I'm having interesting uw-imapd core dump files from what I can
    determine (with "p 'tcp_unix.c'::myClientHost" in gdb) are all
    legit connections from my smartphone.

    They all seem to be hanging themselves up here:

    (gdb) bt
    #0 0x00005647da0eb69c in ptext (txt=<optimized out>, st=0x5647f9072fb8) at imapd.c:3766
    #1 0x00005647da0ecbf3 in pbodypartstring (msgno=96, id=<optimized out>, st=0x7ffd7112df80, bs=0x5647f9072fb8,
    ta=0x5647f908f690) at imapd.c:3746
    #2 0x00005647da0ecf4f in fetch_body_part_contents (i=96, args=<optimized out>) at imapd.c:2935
    #3 0x00005647da0eefa8 in fetch_work (t=<optimized out>, t@entry=0x5647da0f7333 <cmdbuf+19> "(UID",
    uid=uid@entry=1, f=f@entry=0x7ffd7112e070, fa=fa@entry=0x7ffd7112e3a0) at imapd.c:2849
    #4 0x00005647da0ef9a1 in fetch (t=t@entry=0x5647da0f7333 <cmdbuf+19> "(UID", uid=uid@entry=1) at imapd.c:2613
    #5 0x00005647da0e6258 in main (argc=<optimized out>, argv=<optimized out>) at imapd.c:603

    The cause is:

    (gdb) print *st
    $25 = {data = 0x3, data1 = 14067757, size = 1279866,
    chunk = 0x5647f9077d40 "(base64-encoded stuff)"..., chunksize = 65536, offset = 1279866,
    curpos = 0x5647f9093001 <error: Cannot access memory at address 0x5647f9093001>,
    cursize = 18446744073709440319, dtb = 0x7fa2390507a0 <fd_string>}

    cursize is negative (-111297), and curpos is two bytes
    past the end of chunk (checked), or rather the memory page
    chunk resides in.

    I suspect SNX() has been called at least once when cursize was 0,
    as it pre-decrements, then checks, and there might be a missing check,

    Also interesting:

    (gdb) frame 1
    (gdb) print *ta
    $28 = {section = 0x5647f908f610 "2", lines = 0x0, first = 1179648, last = 393216, flags = 2, binary = 0}

    Here, first is larger than last. AFAICT this may trigger:

    3020 if (st.size <= ta->first) st.size = ta->first = 0;

    Most of the remaining code does not seem to look at st.size (or ta)
    but only at txt->data and the likes.

    Perhaps this can get someone familiar with the code (Mark?) to have
    an idea of how to fix this. I would prefer imapd to not crash with
    a core dump but reject problematic commands.

    Thanks in advance,
    //mirabilos
    --- Synchronet 3.21d-Linux NewsLink 1.2
  • From Eduardo Chappa@chappa@washington.edu to comp.mail.pine on Thu Jul 3 18:41:08 2025
    From Newsgroup: comp.mail.pine

    On Thu, 3 Jul 2025, Thorsten Glaser wrote:

    Hi,

    I'm having interesting uw-imapd core dump files from what I can
    determine (with "p 'tcp_unix.c'::myClientHost" in gdb) are all
    legit connections from my smartphone.

    you seem to be using an old version of imapd.c. From the current bits
    ptext is between lines 3878 and 3883, so it seems you are using an old version. The advice in these cases is to upgrade your version to a newer version.
    --
    Eduardo
    https://alpineapp.email (web)
    http://repo.or.cz/alpine.git (Git)
    --- Synchronet 3.21d-Linux NewsLink 1.2