fetchmail-friends
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[fetchmail] [PATCH] Fetchmail hangs on integer overflow

2003-09-27 15:31:21
from [Benjamin Drieu] [Permanent Link] 

Hi friends,

here is a bug report from a Debian user about Debian bug #207919 [1].
To summarize: some buggy IMAP servers give false huge sizes for
messages, which leads fetchmail to hang as this causes an integer
overflow.  User sent a patch that solves his problem with IMAP, but
there might be other cases where fetchmail behaves the same.

This is somewhat related to Debian bug #211017 [2], where fetchmail
segfaults if there are either too many messages or too many bytes to
download.  I don't have a patch for this, though.

Cheers,
Benjamin

[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=207919
[2] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=211017

-- 
  .''`.
 ; ;' ;      Debian GNU/Linux     |   Benjamin Drieu
 `. `'    http://www.debian.org/  |  <benj(_at_)debian(_dot_)org>
   `-
--- Begin Message --- 
Package: fetchmail
Version: 6.2.4-1
Severity: normal
Tags: patch

Using the IMAP protocol to connect to an IMAPv4r1 server running
dbmail's IMAP daemon version 0.9, fetchmail hangs downloading mail
sometimes.  When this occurs, fetchmail has recorded the message size as
being some impossibly large number of bytes.

A log transcript follows, with '[...]' inserted anywhere that
repeated/irrelevant lines have been removed.

fetchmail: 6.2.4 querying mail.example.test (protocol IMAP) at Wed Sep 24 
10:31:40 2003: poll started
fetchmail: IMAP< * OK dbmail imap (protocol version 4r1) server 0.9 ready to run
fetchmail: IMAP> A0001 CAPABILITY
fetchmail: IMAP< * CAPABILITY IMAP4 IMAP4rev1 AUTH=LOGIN
fetchmail: IMAP< A0001 OK CAPABILITY completed
fetchmail: Protocol identified as IMAP4 rev 1
fetchmail: IMAP> A0002 LOGIN "jrhacker" *
fetchmail: IMAP< A0002 OK LOGIN completed
fetchmail: selecting or re-polling default folder
fetchmail: IMAP> A0003 SELECT "INBOX"
fetchmail: IMAP< * 115 EXISTS
fetchmail: IMAP< * 115 RECENT
fetchmail: IMAP< * FLAGS (\Seen \Answered \Deleted \Flagged \Draft \Recent )
fetchmail: IMAP< * OK [PERMANENTFLAGS (\Seen \Answered \Deleted \Flagged \Draft 
\Recent )]
fetchmail: IMAP< * OK [UIDVALIDITY 49447] UID value
fetchmail: IMAP< * OK [UNSEEN 1] first unseen message
fetchmail: IMAP< A0003 OK [READ-WRITE] SELECT completed
fetchmail: 115 messages waiting after first poll
fetchmail: IMAP> A0004 EXPUNGE
fetchmail: IMAP< A0004 OK EXPUNGE completed
fetchmail: 115 messages waiting after expunge
fetchmail: IMAP> A0005 SEARCH UNSEEN
fetchmail: IMAP< * SEARCH 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 
22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 
48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 
74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 
100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115
fetchmail: 1 is unseen
[...]
fetchmail: 115 is unseen
fetchmail: IMAP< A0005 OK SEARCH completed
fetchmail: 1 is first unseen
115 messages for jrhacker at mail.example.test.
fetchmail: IMAP> A0006 FETCH 1:115 RFC822.SIZE
fetchmail: IMAP< * 1 FETCH (RFC822.SIZE 1651)
[...]
fetchmail: IMAP< * 115 FETCH (RFC822.SIZE 2475)
fetchmail: IMAP< A0006 OK FETCH completed
fetchmail: IMAP> A0007 FETCH 1 RFC822.HEADER
fetchmail: IMAP< * 1 FETCH (RFC822.HEADER {1649}
reading message jrhacker(_at_)mail(_dot_)example(_dot_)test:1 of 115 (1649 
header octets)
About to rewrite Sender: owner-bugs(_at_)openbsd(_dot_)org
Rewritten version is Sender: owner-bugs(_at_)openbsd(_dot_)org

About to rewrite To: bugs(_at_)openbsd(_dot_)org
Rewritten version is To: bugs(_at_)openbsd(_dot_)org

About to rewrite From: Molly Salazar <molly_salazarsh(_at_)e-sense(_dot_)dk>
Rewritten version is From: Molly Salazar <molly_salazarsh(_at_)e-sense(_dot_)dk>

About to rewrite Return-Path: 
<owner-bugs+M4054=kinetik=orcon(_dot_)net(_dot_)nz(_at_)openbsd(_dot_)org>
Rewritten version is Return-Path: 
<owner-bugs+M4054=kinetik=orcon(_dot_)net(_dot_)nz(_at_)openbsd(_dot_)org>

fetchmail: SMTP< 220 brak ESMTP Exim 3.36 #1 Wed, 24 Sep 2003 10:31:42 +1200
fetchmail: SMTP> EHLO localhost
fetchmail: SMTP< 250-brak Hello jrhacker at brak [127.0.0.1]
fetchmail: SMTP< 250-SIZE
fetchmail: SMTP< 250-PIPELINING
fetchmail: SMTP< 250 HELP
fetchmail: forwarding to localhost
fetchmail: SMTP> MAIL 
FROM:<owner-bugs+M4054=kinetik=orcon(_dot_)net(_dot_)nz(_at_)openbsd(_dot_)org> 
SIZE=1651
fetchmail: SMTP< 250 
<owner-bugs+M4054=kinetik=orcon(_dot_)net(_dot_)nz(_at_)openbsd(_dot_)org> is 
syntactically correct
fetchmail: SMTP> RCPT TO:<jrhacker(_at_)localhost>
fetchmail: SMTP< 250 <jrhacker(_at_)localhost> verified
fetchmail: SMTP> DATA
fetchmail: SMTP< 354 Enter message, ending with "." on a line by itself
#fetchmail: IMAP< )
fetchmail: IMAP< A0007 OK FETCH completed
fetchmail: IMAP> A0008 FETCH 1 BODY.PEEK[TEXT]
fetchmail: IMAP< * 1 FETCH (BODY[TEXT] {18446744073709551615}
 (2147483647 body octets) **********.*****...**

At this point fetchmail hangs, presumably waiting for additional data
that will never come.

The root cause of this is a buggy IMAP implementation in the dbmail IMAP
daemon 0.9.  I have tested the version 1.1 release of dbmail and found
that this problem has been fixed.  However, fetchmail does not correctly
handle these large message sizes, which is what causes the hang.

I have reproduced this problem on another machine using OpenBSD 2.9 and
fetchmail 6.2.4.

fetchmail does not correctly handle cases where conversion of a number
from a string to an integer using atoi() causes an integer overflow.  I
have attached a patch that fixes this inside the IMAP code.  It appears
that the same problem exists in a couple of other places within
fetchmail.

-- System Information:
Debian Release: testing/unstable
Architecture: i386
Kernel: Linux brak 2.6.0-test1-ac1 #4 Sat Jul 26 20:20:11 NZST 2003 i686
Locale: LANG=C, LC_CTYPE=C

Versions of packages fetchmail depends on:
ii  adduser                       3.51       Add and remove users and groups
ii  base-files                    3.0.10     Debian base system miscellaneous f
ii  debconf                       1.3.8      Debian configuration management sy
ii  debianutils                   2.5.4      Miscellaneous utilities specific t
ii  libc6                         2.3.1-16   GNU C Library: Shared libraries an
ii  libssl0.9.7                   0.9.7b-2   SSL shared libraries

-- debconf information:
* fetchmail/initdefaultswarn: 
* fetchmail/runasroot: false
* fetchmail/confwarn: 
  fetchmail/fetchidswarn: 
* fetchmail/systemwide: true

Attachment: fetchmail-6.2.4-imap-strtol.patch
Description: Text Data

Attachment: pgpe9b6ly8iAY.pgp
Description: PGP signature


--- End Message ---
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
  • [fetchmail] [PATCH] Fetchmail hangs on integer overflow, Benjamin Drieu <=
Previous by Date:  [fetchmail] [PATCH] "Limit" doesn't cooperates with "flush", Benjamin Drieu
Next by Date:  [fetchmail] python script to delete old mail, James Stone
Previous by Thread:  [fetchmail] [PATCH] "Limit" doesn't cooperates with "flush", Benjamin Drieu
Next by Thread:  [fetchmail] python script to delete old mail, James Stone
Indexes:  [Date] [Thread] [Top] [All Lists]