Michael Bacon wrote:
> Hi, all,
>
> I'm working through a bizarre segfault from lmtpd that occurs following a
> rcpt to: command. The best I can describe what's going on is that somehow
> the NULL value stored in the authstate pointer is getting changed to
> 0x1010101 when passed to the verify_user function. Here's a relevant GDB
> snippet:
>
> #5 0x00025950 in process_recipient (addr=0x172fbf "", namespace=0x162610,
> ignorequota=0, verify_user=0x21310 <verify_user>, msg=0x179c08)
> at /opt/local/src/cyrus-imapd-2.3.14/imap/lmtpengine.c:901
> 901 in /opt/local/src/cyrus-imapd-2.3.14/imap/lmtpengine.c
> (gdb) print msg->authstate
> $7 = (struct auth_state *) 0x0
> (gdb) print *msg
> $8 = {data = 0x0, f = 0x0, id = 0x0, size = 0,
> return_path = 0x172f58 "<michael@xxxxxxxxxxxx>", rcpt = 0x172188,
> rcpt_num = 0, authuser = 0x0, authstate = 0x0, rock = 0x0,
> hdrcache = 0x17dda0}
> (gdb) down
> #4 0x0002163c in verify_user (user=0x16f950 "baconm", domain=0x0,
> mailbox=0x0, quotacheck=0, authstate=0x1010101)
> at /opt/local/src/cyrus-imapd-2.3.14/imap/lmtpd.c:1037
>
>
> So process_recipient is calling verify_user with the correct value from
> msg->authstate (0x0, although this is odd, since by this point I should be
> authenticated, but whatever...). Once the process enters verify_user,
> however, gdb shows that value as 0x1010101.
>
> At some point down the line, the code checks to see if there's a value in
> the pointer, and because there is, it proceeds to try to dereference
> 0x1010101 (in strcmp), resulting in the SEGV.
>
> I'm still looking, but has anyone seen anything like this before?
>
> -Michael
>
> Backtrace below:
>
>
>
> #0 0xfec31b60 in strcmp () from /lib/libc.so.1
> #1 0x000a1a94 in mymemberof (auth_state=0x1010101,
> identifier=0x172ff8 "baconm")
> at /opt/local/src/cyrus-imapd-2.3.14/lib/auth_unix.c:84
> #2 0x000a18d0 in auth_memberof (auth_state=0x1010101,
> identifier=0x172ff8 "baconm")
> at /opt/local/src/cyrus-imapd-2.3.14/lib/auth.c:94
> #3 0x000a1110 in cyrus_acl_myrights (auth_state=0x1010101,
> acl=0x172ff8 "baconm")
> at /opt/local/src/cyrus-imapd-2.3.14/lib/acl_afs.c:91
> #4 0x0002163c in verify_user (user=0x16f950 "baconm", domain=0x0,
> mailbox=0x0, quotacheck=0, authstate=0x1010101)
> at /opt/local/src/cyrus-imapd-2.3.14/imap/lmtpd.c:1037
> #5 0x00025950 in process_recipient (addr=0x172fbf "", namespace=0x162610,
> ignorequota=0, verify_user=0x21310 <verify_user>, msg=0x179c08)
> at /opt/local/src/cyrus-imapd-2.3.14/imap/lmtpengine.c:901
> #6 0x0002801c in lmtpmode (func=0x158024, pin=0x179a38, pout=0x179ab0,
> fd=0)
> at /opt/local/src/cyrus-imapd-2.3.14/imap/lmtpengine.c:1534
> #7 0x0001ec3c in service_main (argc=1, argv=0x16f618, envp=0xffbffcd4)
> at /opt/local/src/cyrus-imapd-2.3.14/imap/lmtpd.c:299
> #8 0x0001e610 in main (argc=1, argv=0xffbffccc, envp=0xffbffcd4)
> at /opt/local/src/cyrus-imapd-2.3.14/master/service.c:540
>
> ----
> Cyrus Home Page: http://cyrusimap.web.cmu.edu/
> Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
> List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
I already found this. The quota that is passed to verify_user() by
process_recipient() has to be a quota_t, not an int. A patch was
already submitted.
Ben
--
Ben Carter
University of Pittsburgh/CSSD
bhc@xxxxxxxx
412-624-6470
----
Cyrus Home Page: http://cyrusimap.web.cmu.edu/
Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
