[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[bug-mailutils] Sieve bugs [mailutils 1.0]
From: |
Kostas Zorbadelos |
Subject: |
[bug-mailutils] Sieve bugs [mailutils 1.0] |
Date: |
Tue, 3 Oct 2006 17:56:16 +0300 |
User-agent: |
Mutt/1.5.11 |
Hello to everyone.
I have discovered a couple of bugs related to the sieve
implementation in mailutils 1.0. For the first, I include a patch that
solves it, while
for the second I have written the necessary code to expose it and I
cannot (in short time) provide a fix myself.
The first bug has to do with the vacation action implementation. In
libsieve/extensions/vacation.c file, vacation_subject() function, at
(or near) line 411 there is a check
else if (mu_message_get_header (msg, &hdr) == 0
&& mu_header_aget_value_unfold (hdr, MU_HEADER_SUBJECT, &value)
== 0)
The problem is when this check fails, when for example the message has
no subject or its subject is empty. In this case, the control goes to
if (mu_rfc2047_encode (MU_SIEVE_CHARSET, "quoted-printable",
subject, &value))
with a random subject pointer. Also the variable subject_allocated is
uninitialized. We have noticed excaustive cpu usage in our delivery
agent in our production systems because of this
(example stack trace:
#0 0xb7ea80d3 in mallopt () from /lib/tls/libc.so.6
#1 0xb7ea7f6e in mallopt () from /lib/tls/libc.so.6
#2 0xb7ea6dcb in free () from /lib/tls/libc.so.6
#3 0xb7fa7dbe in mu_header_set_value ()
#4 0xb7a4d740 in vacation_reply ()
#5 0xb7a4da38 in sieve_action_vacation ()
#6 0xb7f811fe in instr_run ()
#7 0xb7f81293 in instr_action ()
#8 0xb7f818c5 in sieve_run ()
#9 0xb7f81b88 in mu_sieve_message ()
...)
The attached patch solves the issue.
The second bug is in the sieve parser. To demonstrate the bug, I have
implemented a new sieve action called notify (attached also). This
notify action accepts a tag and has no arguments
notify [:method <url: string>]
When you have a sieve file like
#searchpath "/path/to/mailutils"
require["notify"];
if header :contains ["from"] ["kzorba"] { notify :method "sms:+3069XXXXXX"; }
everything is fine, but if you make a syntactic error and you have
#searchpath "/path/to/mailutils"
require["notify"];
if header :contains ["from"] ["kzorba"] { notify :method ; }
(the tag's argument is missing) then the sieve engine consumes all cpu
resources with the following stack trace:
(gdb) bt
#0 0xb7dd4e13 in pthread_rwlock_wrlock () from /lib/tls/libpthread.so.0
#1 0xb7fa0fc7 in monitor_pthread_wrlock (lock=0x80548d8) at monitor.c:280
#2 0xb7fa0e67 in mu_monitor_wrlock (monitor=0x8050f48) at monitor.c:179
#3 0xb7f94d41 in mu_list_append (list=0x80548b0, item=0x98d2c728) at list.c:92
#4 0xb7f6fc63 in mu_sieve_palloc (pool=0x80547a8, size=8) at util.c:52
#5 0xb7f6fdeb in mu_sieve_malloc (mach=0x80547a0, size=8) at util.c:108
#6 0xb7f69234 in sieve_code_command (reg=0x80596e8, arglist=0x805a428) at
prog.c:202
#7 0xb7f697c7 in sieve_code_action (reg=0x80596e8, arglist=0x805a428) at
prog.c:355
#8 0xb7f6bb8d in mu_sieve_yyparse () at sieve.y:266
#9 0xb7f6c9ba in mu_sieve_compile (mach=0x80547a0, name=0xbfffc660
"XXX.sieve") at sieve.y:603
Any input is highly welcome.
Regards,
Kostas
--
Kostas Zorbadelos
address@hidden contact: kzorba (at) otenet.gr
Out there in the darkness, out there in the night
out there in the starlight, one soul burns brighter
than a thousand suns.
vacation.patch
Description: Text document
notify.c
Description: Text Data
- [bug-mailutils] Sieve bugs [mailutils 1.0],
Kostas Zorbadelos <=