View Issue Details

Jump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
0001023SOGoSOPEpublic2010-12-01 19:062011-06-16 15:41
Reporterbuzzdee Assigned Toludovic  
PrioritynormalSeveritycrashReproducibilityalways
Status resolvedResolutionfixed 
Product Version1.3.4 
Target Version1.3.8 
Summary0001023: a specific mail always aborts the sogo instance
Description

entering a folder with attached mail, stops sogo with an abort, assuming a double free.

(gdb) r -WOUseWatchDog NO -WONoDetach YES
Starting program: /usr/local/sbin/sogod -WOUseWatchDog NO -WONoDetach YES

Program received signal SIGABRT, Aborted.
[Switching to process 30039, thread 0x8403d800]
0x0a61d5ed in kill () from /usr/lib/libc.so.58.0
(gdb) bt
#0 0x0a61d5ed in kill () from /usr/lib/libc.so.58.0
0000001 0x0a679735 in abort () at /usr/src/lib/libc/stdlib/abort.c:68
0000002 0x0a6772bd in wrterror (msg=Variable "msg" is not available.
) at /usr/src/lib/libc/stdlib/malloc.c:387
0000003 0x0a678709 in free (ptr=0xffffffff) at /usr/src/lib/libc/stdlib/malloc.c:1328
0000004 0x0f71467d in libiconv_close (icd=0xffffffff) at /home/ports/pobj/libiconv-1.13/libiconv-1.13/lib/iconv.c:258
0000005 0x01326aa9 in iconv_wrapper (self=0x2f4f43a0, _src=0x865bd840 "San Telmo ComputaciĆ³n - Servicio", _srcLen=32, _fromEncode=0x865bd688,
toEncode=0x212fe5dc, outLen=0xcfbefca8) at NSString+Encoding.m:260
0000006 0x01326e87 in +[NSString(Encoding) stringWithData:usingEncodingNamed:] (self=0x2f4f43a0, _cmd=0x25d96fd0, _data=0x86f326c8,
_encoding=0x86f32068) at NSString+Encoding.m:283
0000007 0x05dc9890 in -[NSData(MimeQPHeaderFieldDecoding) decodeQuotedPrintableValueOfMIMEHeaderField:] (self=0x86f324a8, _cmd=0x25da4b28,
_name=0x25da4f1c) at NSData+MimeQP.m:167
0000008 0x05dca0a7 in -[NGImap4ResponseParser _decodeQP:headerField:] (self=0x865bed68, _cmd=0x25da4b50, _string=0x7d368e28, _field=0x25da4f1c)
at NGImap4ResponseParser.m:1403
0000009 0x05dcd915 in -[NGImap4ResponseParser _parseEnvelope] (self=0x865bed68, _cmd=0x25da4bb0) at NGImap4ResponseParser.m:1552
0000010 0x05dd71ff in -[NGImap4ResponseParser _parseNumberUntaggedResponse:] (self=0x865bed68, cmd=0x25da4a00, result=0x7f66d048)
at NGImap4ResponseParser.m:1697
0000011 0x05dd5d71 in -[NGImap4ResponseParser parseResponseForTagId:exception:] (self=0x865bed68, _cmd=0x25da5c98, tag=7, ex=0xcfbf0004)
at NGImap4ResponseParser.m:685
0000012 0x05ddf837 in -[NGImap4Client processCommand:withTag:withNotification:logText:] (self=0x8a2a7c88, _cmd=0x25da60b0, _command=0x800c7d88,
_tag=Variable "_tag" is not available.
) at NGImap4Client.m:1508
0000013 0x05dd8a26 in -[NGImap4Client processCommand:] (self=0x8a2a7c88, _cmd=0x25da5cb8, _command=0x800c7d88) at NGImap4Client.m:1579
0000014 0x05ddabce in -[NGImap4Client fetchUids:parts:] (self=0x8a2a7c88, _cmd=0x25daf8c8, _uids=0x7d368008, _parts=0x865bdec8)
at NGImap4Client.m:865
0000015 0x05e0778f in -[NGImap4Connection fetchUIDs:inURL:parts:] (self=0x871a5e88, _cmd=0x2326a9c0, _uids=0x7d368008, _url=0x83be6b88,
_parts=0x865bdec8) at NGImap4Connection.m:541
0000016 0x0327cda0 in -[SOGoMailFolder fetchUIDs:parts:] (self=0x865bdd48, _cmd=0x2746a038, _uids=0x7d368008, _parts=0x865bdec8)
at SOGoMailFolder.m:555
0000017 0x074736f5 in -[UIxMailListActions getHeadersForUIDs:inFolder:] (self=0x865bd408, _cmd=0x27469fe8, uids=0x7d368008, mailFolder=0x865bdd48)
at UIxMailListActions.m:597
0000018 0x074734ea in -[UIxMailListActions getHeadersAction] (self=0x865bd408, _cmd=0x8ab3b360) at UIxMailListActions.m:722
0000019 0x0f5f6195 in -[NSObject performSelector:] (self=0x865bd408, _cmd=0x2fe8b2f0, aSelector=0x8ab3b360) at NSObject.m:1831
0000020 0x0fef3020 in -[WODirectAction performActionNamed:] (self=0x865bd408, _cmd=0x2fee41a0, _actionName=0x865bd348) at WODirectAction.m:101
0000021 0x0ff889ab in -[SoActionInvocation callOnObject:withPositionalParametersWhenNotNil:inContext:] (self=0x8479fa68, _cmd=0x2fee41b8,
_client=0x865bdd48, _positionalArgs=0x0, _ctx=0x7dd9e408) at SoActionInvocation.m:300
0000022 0x0ff887ce in -[SoActionInvocation callOnObject:inContext:] (self=0x8479fa68, _cmd=0x2fee4148, _client=0x865bdd48, _ctx=0x7dd9e408)
at SoActionInvocation.m:316
0000023 0x0ff88853 in -[SoActionInvocation callOnObject:withPositionalParametersWhenNotNil:inContext:] (self=0x83920148, _cmd=0x2fee41b8,
_client=0x865bdd48, _positionalArgs=0x0, _ctx=0x7dd9e408) at SoActionInvocation.m:259
0000024 0x0ff887ce in -[SoActionInvocation callOnObject:inContext:] (self=0x83920148, _cmd=0x2fee21a8, _client=0x865bdd48, _ctx=0x7dd9e408)
at SoActionInvocation.m:316
0000025 0x0ff823d9 in -[SoObjectMethodDispatcher dispatchInContext:] (self=0x7f66d018, _cmd=0x2fee29b8, _ctx=0x7dd9e408)
at SoObjectMethodDispatcher.m:191
0000026 0x0ff8465a in -[SoObjectRequestHandler handleRequest:inContext:session:application:] (self=0x89241188, _cmd=0x2fe94f38, _rq=0x85084608,
_ctx=0x7dd9e408, _sn=0x0, app=0x7e411788) at SoObjectRequestHandler.m:591
0000027 0x0ff05697 in -[WORequestHandler handleRequest:] (self=0x89241188, _cmd=0x2fe72948, _request=0x85084608) at WORequestHandler.m:241
0000028 0x0fec237d in -[WOCoreApplication dispatchRequest:usingHandler:] (self=0x7e411788, _cmd=0x2fe72978, _request=0x85084608, handler=0x89241188)
at WOCoreApplication.m:704
0000029 0x0fec225e in -[WOCoreApplication dispatchRequest:] (self=0x7e411788, _cmd=0x3c0029b8, _request=0x85084608) at WOCoreApplication.m:744
0000030 0x1c0036a3 in -[SOGo dispatchRequest:] (self=0x7e411788, _cmd=0x2fed23b0, _request=0x85084608) at SOGo.m:436
0000031 0x0ff715bb in -[WOHttpTransaction _run] (self=0x85084488, _cmd=0x2fed23c8) at WOHttpTransaction.m:546
0000032 0x0ff7466a in -[WOHttpTransaction run] (self=0x85084488, _cmd=0x2fed16a8) at WOHttpTransaction.m:599
0000033 0x0ff6dfe5 in -[WOHttpAdaptor runConnection:] (self=0x8159b588, _cmd=0x2fed16f8, _socket=0x7dcf7c08) at WOHttpAdaptor.m:398
0000034 0x0ff6fce6 in -[WOHttpAdaptor _handleAcceptedConnection:] (self=0x8159b588, _cmd=0x2fed1700, _connection=0x7dcf7c08) at WOHttpAdaptor.m:432
0000035 0x0ff6f9f2 in -[WOHttpAdaptor _handleConnection:] (self=0x8159b588, _cmd=0x2fed1780, connection=0x7dcf7c08) at WOHttpAdaptor.m:543
0000036 0x0ff6feaf in -[WOHttpAdaptor acceptConnection:] (self=0x8159b588, _cmd=0x2fed1688, _notification=0x7ed69028) at WOHttpAdaptor.m:607
0000037 0x0f5e671e in -[NSNotificationCenter _postAndRelease:] (self=0x7c03b718, _cmd=0x2f4d71d0, notification=0x7ed69028)
at NSNotificationCenter.m:1161
0000038 0x0f5e5948 in -[NSNotificationCenter postNotificationName:object:userInfo:] (self=0x7c03b718, _cmd=0x2f4d71d8, name=0x212fe09c,
object=0x8159bc48, info=0x0) at NSNotificationCenter.m:1220
0000039 0x0f5e57be in -[NSNotificationCenter postNotificationName:object:] (self=0x7c03b718, _cmd=0x212fe028, name=0x212fe09c, object=0x8159bc48)
at NSNotificationCenter.m:1200
0000040 0x013258f2 in -[NSObject(FileObjectWatcher) receivedEvent:type:extra:forMode:] (self=0x8159bc48, _cmd=0x2f52bb40, _fdData=0xb,
_type=ET_RDESC, _extra=0xb, _mode=0x2f4eb0c0) at NSRunLoop+FileObjects.m:57
0000041 0x0f6fa3de in -[GSRunLoopCtxt pollUntil:within:] (self=0x7e411808, _cmd=0x2f4eb050, milliseconds=29990, contexts=0x7cbebc08)
at GSRunLoopCtxt.m:636
0000042 0x0f635b62 in -[NSRunLoop acceptInputForMode:beforeDate:] (self=0x7cbebae8, _cmd=0x2f4eb078, mode=0x2f4eb0c0, limit_date=0x7ed693a8)
at NSRunLoop.m:1197
0000043 0x0f633c83 in -[NSRunLoop runMode:beforeDate:] (self=0x7cbebae8, _cmd=0x2fe728b8, mode=0x2f4eb0c0, date=0x7cbebb08) at NSRunLoop.m:1265
0000044 0x0fec2d31 in -[WOCoreApplication run] (self=0x7e411788, _cmd=0x3c0028c8) at WOCoreApplication.m:576
0000045 0x1c001b22 in -[SOGo run] () at SOGo.m:260
0000046 0x0feee97e in WOApplicationMain (_appClassName=0x3c00196c, argc=5, argv=0xcfbf1034) at WOApplicationMain.m:42
0000047 0x0ff106bd in WOWatchDogApplicationMain (appName=0x3c00196c, argc=5, argv=0xcfbf1034) at WOWatchDogApplicationMain.m:969
0000048 0x1c001697 in gnustep_base_user_main (argc=5, argv=0xcfbf1034, env=0xcfbf104c) at sogod.m:53
0000049 0x0f624c9e in main (argc=5, argv=Cannot access memory at address 0x4
) at NSProcessInfo.m:933
0000050 0x1c001397 in ___start ()
0000051 0x1c001317 in _start ()
0000052 0x00000000 in ?? ()

Additional Information

this happens always. In case there are many mails in hte folder, someone needs to scroll to the evil mail.

Happens on OpenBSD i386, libiconv-1.13p2, sope/sogo 1.3.4, gnustep-base-1.20.1p0,

I also tried with libiconv-1.13.1, but its still aborting.

uncommenting the free(cd); in iconv_close() in libiconv, then the error doesn't happen, but I think the problem is somewhere in sope and not in libiconv.

in sogod.log I see:
127.0.0.1 - - [01/Dec/2010:19:58:48 GMT] "POST /SOGo/so/sebastia/Mail//0/folderINBOX/folderTEST/uids HTTP/1.1" 200 6/43 1.367 - - -
2010-12-01 19:58:49.002 sogod[30039] Note: using 'UCS-2-INTERNAL' on Linux.
Dec 01 19:58:49 sogod [30039]: <0x0x2f4f43a0[NSString]> iconv_wrapper: Could not handle iconv encoding. FromEncoding:WINDOWS-1252HTTP-EQUIVCONTENT-TYPE to encoding:UCS-2-INTERNAL
sogod in free(): error: bogus pointer (double free?) 0xffffffff

TagsNo tags attached.

Activities

ludovic

ludovic

2010-12-01 20:46

administrator   ~0001902

Can you attach the culprit mail?
buzzdee

buzzdee

2010-12-01 21:12

reporter   ~0001903

sure, I actually thought I did with the initial report.

2010-12-01 21:13

 

evil-mail.txt (2,097 bytes)    
Return-Path: <owner-misc+M92201@openbsd.org>
Received: from smtp.l00-bugdead-prods.de ([unix socket])
	 by communicator.ds9 (Cyrus v2.3.12) with LMTPA;
	 Wed, 11 Nov 2009 14:14:02 +0100
X-Sieve: CMU Sieve 2.3
Received: from localhost (localhost.ds9 [127.0.0.1])
	by smtp.l00-bugdead-prods.de (Postfix) with ESMTP id 3DAB6D2FDB
	for <sebastia@l00-bugdead-prods.de>; Wed, 11 Nov 2009 14:14:02 +0100 (CET)
X-Virus-Scanned: amavisd-new at example.com
Received: from smtp.l00-bugdead-prods.de ([127.0.0.1])
	by localhost (communicator.ds9 [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id WiQuuZAZ1T1L for <sebastia@l00-bugdead-prods.de>;
	Wed, 11 Nov 2009 14:13:27 +0100 (CET)
Received: from shear.ucar.edu (lists.openbsd.org [192.43.244.163])
	by smtp.l00-bugdead-prods.de (Postfix) with ESMTP id 6F353D2F0E
	for <sebastia@l00-bugdead-prods.de>; Wed, 11 Nov 2009 14:13:26 +0100 (CET)
Received: from openbsd.org (localhost.ucar.edu [127.0.0.1])
	by shear.ucar.edu (8.14.3/8.14.3) with ESMTP id nABD9rxU024809;
	Wed, 11 Nov 2009 06:09:53 -0700 (MST)
Received: from mail.dnsba.com (hostbw-4.dnsba.com [190.2.55.4])
	by shear.ucar.edu (8.14.3/8.14.3) with ESMTP id nABD71af025009
	for <misc@openbsd.org>; Wed, 11 Nov 2009 06:07:02 -0700 (MST)
Received: from Malibu (unknown [190.244.170.28])
	by mail.dnsba.com (Postfix) with ESMTP id 18FA6A7884ED
	for <misc@openbsd.org>; Wed, 11 Nov 2009 11:08:17 -0200 (ARST)
MIME-Version: 1.0
From: "San Telmo Computacion" <stc@santelmocomputacion.com.ar>
Reply-To: stc@santelmocomputacion.com.ar
To: misc@openbsd.org
Subject: =?windows-1252http-equivContent-Type?Q?San_Telmo_Computaci=F3n_-_Servicio?= =?windows-1252http-equivContent-Type?Q?s_Web?=
Content-Type: text/plain; charset="us-ascii"
X-Mailer: SendBlaster.1.6.0
Date: Wed, 11 Nov 2009 10:06:48 -0200
Message-ID: <2100642349922361827132@Malibu>
X-Converted-To-Plain-Text: from multipart/alternative by demime 1.01d
X-Converted-To-Plain-Text: Alternative section used was text/plain
X-Loop: misc@openbsd.org
Precedence: list
Sender: owner-misc@openbsd.org

)">
evil-mail.txt (2,097 bytes)   
ludovic

ludovic

2010-12-01 21:16

administrator   ~0001904

Works for me.

2010-12-01 21:17

 

Screen shot 2010-12-01 at 4.16.52 PM.png (114,766 bytes)   
Screen shot 2010-12-01 at 4.16.52 PM.png (114,766 bytes)   
buzzdee

buzzdee

2010-12-02 07:28

reporter   ~0001908

I'll see whether I can find more of those evil e-mails, since I can reproduce the problem all the time here.
buzzdee

buzzdee

2010-12-02 07:56

reporter   ~0001909

Here another backtrace from another evil mail, also ending in an abort:
$ gdb /usr/local/sbin/sogod
GNU gdb 6.3
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i386-unknown-openbsd4.8"...
(gdb) r -WOUseWatchDog NO -WONoDetach YES
Starting program: /usr/local/sbin/sogod -WOUseWatchDog NO -WONoDetach YES

Program received signal SIGABRT, Aborted.
[Switching to process 8056, thread 0x7d81b800]
0x00f935ed in kill () from /usr/lib/libc.so.58.0
(gdb) bt
#0 0x00f935ed in kill () from /usr/lib/libc.so.58.0
0000001 0x00fef735 in abort () at /usr/src/lib/libc/stdlib/abort.c:68
0000002 0x00fed2bd in wrterror (msg=Variable "msg" is not available.
) at /usr/src/lib/libc/stdlib/malloc.c:387
0000003 0x00fee709 in free (ptr=0xffffffff) at /usr/src/lib/libc/stdlib/malloc.c:1328
0000004 0x048d267d in libiconv_close (icd=0xffffffff) at /home/ports/pobj/libiconv-1.13/libiconv-1.13/lib/iconv.c:258
0000005 0x04badaa9 in iconv_wrapper (self=0x2aaaf3a0, _src=0x894fdf70 "PERD?N", _srcLen=6, _fromEncode=0x7ccf7988, toEncode=0x24b855dc, outLen=0xcfbec7b8)
at NSString+Encoding.m:260
0000006 0x04bade87 in +[NSString(Encoding) stringWithData:usingEncodingNamed:] (self=0x2aaaf3a0, _cmd=0x29e19fd0, _data=0x885ff908, _encoding=0x885ff968)
at NSString+Encoding.m:283
0000007 0x09e4c890 in -[NSData(MimeQPHeaderFieldDecoding) decodeQuotedPrintableValueOfMIMEHeaderField:] (self=0x885ff328, _cmd=0x29e27b28, _name=0x29e27f1c)
at NSData+MimeQP.m:167
0000008 0x09e4d0a7 in -[NGImap4ResponseParser _decodeQP:headerField:] (self=0x7f9fd228, _cmd=0x29e27b50, _string=0x885ff8e8, _field=0x29e27f1c)
at NGImap4ResponseParser.m:1403
0000009 0x09e50915 in -[NGImap4ResponseParser _parseEnvelope] (self=0x7f9fd228, _cmd=0x29e27bb0) at NGImap4ResponseParser.m:1552
0000010 0x09e5a1ff in -[NGImap4ResponseParser _parseNumberUntaggedResponse:] (self=0x7f9fd228, cmd=0x29e27a00, result=0x7db79188) at NGImap4ResponseParser.m:1697
0000011 0x09e58d71 in -[NGImap4ResponseParser parseResponseForTagId:exception:] (self=0x7f9fd228, _cmd=0x29e28c98, tag=47, ex=0xcfbecb14) at NGImap4ResponseParser.m:685
0000012 0x09e62837 in -[NGImap4Client processCommand:withTag:withNotification:logText:] (self=0x88172b08, _cmd=0x29e290b0, _command=0x823e4e08, _tag=Variable "_tag" is not available.
)
at NGImap4Client.m:1508
0000013 0x09e5ba26 in -[NGImap4Client processCommand:] (self=0x88172b08, _cmd=0x29e28cb8, _command=0x823e4e08) at NGImap4Client.m:1579
0000014 0x09e5dbce in -[NGImap4Client fetchUids:parts:] (self=0x88172b08, _cmd=0x29e328c8, _uids=0x8b2b2688, _parts=0x7f9fb348) at NGImap4Client.m:865
0000015 0x09e8a78f in -[NGImap4Connection fetchUIDs:inURL:parts:] (self=0x7f9fbd88, _cmd=0x2a66c9c0, _uids=0x8b2b2688, _url=0x7f9f8a08, _parts=0x7f9fb348)
at NGImap4Connection.m:541
0000016 0x0a67eda0 in -[SOGoMailFolder fetchUIDs:parts:] (self=0x829fb388, _cmd=0x2187a038, _uids=0x8b2b2688, _parts=0x7f9fb348) at SOGoMailFolder.m:555
0000017 0x018836f5 in -[UIxMailListActions getHeadersForUIDs:inFolder:] (self=0x7d262d48, _cmd=0x21879fe8, uids=0x8b2b2688, mailFolder=0x829fb388)
at UIxMailListActions.m:597
0000018 0x018834ea in -[UIxMailListActions getHeadersAction] (self=0x7d262d48, _cmd=0x7dcc9358) at UIxMailListActions.m:722
0000019 0x0abb1195 in -[NSObject performSelector:] (self=0x7d262d48, _cmd=0x227c42f0, aSelector=0x7dcc9358) at NSObject.m:1831
0000020 0x0282c020 in -[WODirectAction performActionNamed:] (self=0x7d262d48, _cmd=0x2281d1a0, _actionName=0x7d262ec8) at WODirectAction.m:101
0000021 0x028c19ab in -[SoActionInvocation callOnObject:withPositionalParametersWhenNotNil:inContext:] (self=0x8b2b2208, _cmd=0x2281d1b8, _client=0x829fb388,
_positionalArgs=0x0, _ctx=0x891bcc08) at SoActionInvocation.m:300
0000022 0x028c17ce in -[SoActionInvocation callOnObject:inContext:] (self=0x8b2b2208, _cmd=0x2281d148, _client=0x829fb388, _ctx=0x891bcc08) at SoActionInvocation.m:316
0000023 0x028c1853 in -[SoActionInvocation callOnObject:withPositionalParametersWhenNotNil:inContext:] (self=0x8b784a28, _cmd=0x2281d1b8, _client=0x829fb388,
_positionalArgs=0x0, _ctx=0x891bcc08) at SoActionInvocation.m:259
0000024 0x028c17ce in -[SoActionInvocation callOnObject:inContext:] (self=0x8b784a28, _cmd=0x2281b1a8, _client=0x829fb388, _ctx=0x891bcc08) at SoActionInvocation.m:316
0000025 0x028bb3d9 in -[SoObjectMethodDispatcher dispatchInContext:] (self=0x7db79178, _cmd=0x2281b9b8, _ctx=0x891bcc08) at SoObjectMethodDispatcher.m:191
0000026 0x028bd65a in -[SoObjectRequestHandler handleRequest:inContext:session:application:] (self=0x80f4bf88, _cmd=0x227cdf38, _rq=0x82128108, _ctx=0x891bcc08, _sn=0x0,
app=0x7e1fcb88) at SoObjectRequestHandler.m:591
0000027 0x0283e697 in -[WORequestHandler handleRequest:] (self=0x80f4bf88, _cmd=0x227ab948, _request=0x82128108) at WORequestHandler.m:241
0000028 0x027fb37d in -[WOCoreApplication dispatchRequest:usingHandler:] (self=0x7e1fcb88, _cmd=0x227ab978, _request=0x82128108, handler=0x80f4bf88)
at WOCoreApplication.m:704
0000029 0x027fb25e in -[WOCoreApplication dispatchRequest:] (self=0x7e1fcb88, _cmd=0x3c0029b8, _request=0x82128108) at WOCoreApplication.m:744
0000030 0x1c0036a3 in -[SOGo dispatchRequest:] (self=0x7e1fcb88, _cmd=0x2280b3b0, _request=0x82128108) at SOGo.m:436
0000031 0x028aa5bb in -[WOHttpTransaction _run] (self=0x82128c08, _cmd=0x2280b3c8) at WOHttpTransaction.m:546
0000032 0x028ad66a in -[WOHttpTransaction run] (self=0x82128c08, _cmd=0x2280a6a8) at WOHttpTransaction.m:599
---Type <return> to continue, or q <return> to quit---
0000033 0x028a6fe5 in -[WOHttpAdaptor runConnection:] (self=0x842c8088, _cmd=0x2280a6f8, _socket=0x842c8808) at WOHttpAdaptor.m:398
0000034 0x028a8ce6 in -[WOHttpAdaptor _handleAcceptedConnection:] (self=0x842c8088, _cmd=0x2280a700, _connection=0x842c8808) at WOHttpAdaptor.m:432
0000035 0x028a89f2 in -[WOHttpAdaptor _handleConnection:] (self=0x842c8088, _cmd=0x2280a780, connection=0x842c8808) at WOHttpAdaptor.m:543
0000036 0x028a8eaf in -[WOHttpAdaptor acceptConnection:] (self=0x842c8088, _cmd=0x2280a688, _notification=0x8a991708) at WOHttpAdaptor.m:607
0000037 0x0aba171e in -[NSNotificationCenter _postAndRelease:] (self=0x8adac6d8, _cmd=0x2aa921d0, notification=0x8a991708) at NSNotificationCenter.m:1161
0000038 0x0aba0948 in -[NSNotificationCenter postNotificationName:object:userInfo:] (self=0x8adac6d8, _cmd=0x2aa921d8, name=0x24b8509c, object=0x842c8b48, info=0x0)
at NSNotificationCenter.m:1220
0000039 0x0aba07be in -[NSNotificationCenter postNotificationName:object:] (self=0x8adac6d8, _cmd=0x24b85028, name=0x24b8509c, object=0x842c8b48)
at NSNotificationCenter.m:1200
0000040 0x04bac8f2 in -[NSObject(FileObjectWatcher) receivedEvent:type:extra:forMode:] (self=0x842c8b48, _cmd=0x2aae6b40, _fdData=0xb, _type=ET_RDESC, _extra=0xb,
_mode=0x2aaa60c0) at NSRunLoop+FileObjects.m:57
0000041 0x0acb53de in -[GSRunLoopCtxt pollUntil:within:] (self=0x7e1fc408, _cmd=0x2aaa6050, milliseconds=25692, contexts=0x813d9588) at GSRunLoopCtxt.m:636
0000042 0x0abf0b62 in -[NSRunLoop acceptInputForMode:beforeDate:] (self=0x813d9c08, _cmd=0x2aaa6078, mode=0x2aaa60c0, limit_date=0x813d97c8) at NSRunLoop.m:1197
0000043 0x0abeec83 in -[NSRunLoop runMode:beforeDate:] (self=0x813d9c08, _cmd=0x227ab8b8, mode=0x2aaa60c0, date=0x813d97c8) at NSRunLoop.m:1265
0000044 0x027fbd31 in -[WOCoreApplication run] (self=0x7e1fcb88, _cmd=0x3c0028c8) at WOCoreApplication.m:576
0000045 0x1c001b22 in -[SOGo run] () at SOGo.m:260
0000046 0x0282797e in WOApplicationMain (_appClassName=0x3c00196c, argc=5, argv=0xcfbedb40) at WOApplicationMain.m:42
0000047 0x028496bd in WOWatchDogApplicationMain (appName=0x3c00196c, argc=5, argv=0xcfbedb40) at WOWatchDogApplicationMain.m:969
0000048 0x1c001697 in gnustep_base_user_main (argc=5, argv=0xcfbedb40, env=0xcfbedb58) at sogod.m:53
0000049 0x0abdfc9e in main (argc=5, argv=Cannot access memory at address 0x4
) at NSProcessInfo.m:933
0000050 0x1c001397 in ___start ()
0000051 0x1c001317 in _start ()
0000052 0x00000000 in ?? ()

And the log output from sogod.log:
Dec 02 08:52:14 sogod [11081]: <0x0x21f423a0[NSString]> iconv_wrapper: Could not handle iconv encoding. FromEncoding:ISO-8859-1HTTP-EQUIVCONTENT-TYPE to encoding:UCS-2-INTERNAL
sogod in free(): error: bogus pointer (double free?) 0xffffffff

2010-12-02 07:57

 

evil-mail2.txt (3,075 bytes)    
Return-Path: <owner-tech+M21613@openbsd.org>
Received: from smtp.l00-bugdead-prods.de ([unix socket])
	 by communicator.ds9 (Cyrus v2.3.14) with LMTPA;
	 Sat, 25 Sep 2010 08:39:21 +0200
X-Sieve: CMU Sieve 2.3
Received: from localhost (localhost [127.0.0.1])
	by smtp.l00-bugdead-prods.de (Postfix) with ESMTP id 9ACA774EB8
	for <sebastia@l00-bugdead-prods.de>; Sat, 25 Sep 2010 08:39:21 +0200 (CEST)
X-Virus-Scanned: amavisd-new at l00-bugdead-prods.de
Received: from smtp.l00-bugdead-prods.de ([127.0.0.1])
	by localhost (communicator.ds9 [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id 9LfamfnXQmx5 for <sebastia@l00-bugdead-prods.de>;
	Sat, 25 Sep 2010 08:39:13 +0200 (CEST)
Received: from shear.ucar.edu (lists.openbsd.org [192.43.244.163])
	by smtp.l00-bugdead-prods.de (Postfix) with ESMTP id 15D1974EB7
	for <sebastia@l00-bugdead-prods.de>; Sat, 25 Sep 2010 08:39:12 +0200 (CEST)
Received: from openbsd.org (localhost.ucar.edu [127.0.0.1])
	by shear.ucar.edu (8.14.3/8.14.3) with ESMTP id o8P6bcX1005615;
	Sat, 25 Sep 2010 00:37:38 -0600 (MDT)
Received: from vps.usuarioweb.com.ar (static-222-178-73-69.nocdirect.com [69.73.178.222])
	by shear.ucar.edu (8.14.3/8.14.3) with ESMTP id o8P6aK5G007896 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO)
	for <tech@openbsd.org>; Sat, 25 Sep 2010 00:36:21 -0600 (MDT)
Received: from [186.137.189.236] (helo=929e12e0d6a2490)
	by vps.usuarioweb.com.ar with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.69) (envelope-from <ministerios@newssmail.com.ar>) id 1OzOMt-00034l-Re
	for tech@openbsd.org; Sat, 25 Sep 2010 02:36:20 -0400
MIME-Version: 1.0
From: "Ministerios" <ministerios@newssmail.com.ar>
Reply-To: difusionfeedback@gmail.com
To: tech@openbsd.org
Subject: =?iso-8859-1http-equivContent-Type?Q?PERD=D3N?=
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: SendBlaster.1.5.5
Date: Sat, 25 Sep 2010 03:36:17 -0300
Message-ID: <2196337086320114731484@929e12e0d6a2490>
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - vps.usuarioweb.com.ar
X-AntiAbuse: Original Domain - openbsd.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - newssmail.com.ar
X-Converted-To-Plain-Text: from text/html by demime 1.01d
List-Help: <mailto:majordomo@openbsd.org?body=help>
List-Owner: <mailto:tech-owner@openbsd.org>
List-Post: <mailto:tech@openbsd.org>
List-Subscribe: <mailto:majordomo@openbsd.org?body=sub%20tech>
List-Unsubscribe: <mailto:majordomo@openbsd.org?body=unsub%20tech>
X-Loop: tech@openbsd.org
Precedence: list
Sender: owner-tech@openbsd.org

Mail para ser visto con conexisn, si no puede verlo, click aqum

[IMAGE]

Si usted no esta interesado en recibir mas informacisn proporcionada por
Feedback, Agencia de Prensa, envmenos un e-mail indicando " Remover" de
la Lista "Prensa y Difusisn" a prensafeedback@gmail.com Nuevamente
disculpe por las molestias que le pudimos haber ocasionado.
evil-mail2.txt (3,075 bytes)   
ludovic

ludovic

2010-12-02 15:41

administrator   ~0001915

That mail also works just fine.
buzzdee

buzzdee

2010-12-02 18:22

reporter   ~0001923

also with the two defaults added that you recommended in bug report 0001022, the abort still happens reproducible.

Are there any other defaults I could try to set which might affect the abort?
buzzdee

buzzdee

2010-12-10 22:37

reporter   ~0001944

after more debugging with gdb, and looking at the logs again, I found that the FromEncoding here is the problem: Both subjects use "strange" encodings.

The iconv_wrapper method in NSString+Encoding.m, gets an error back, when calling type = iconv_open(From, To). Then "type" is checked for errors
type == (iconv_t)-1), in case this happens, the code path is going to CLEAR_AND_RETURN, where it clears/frees the used memory, and returns the function. However, when type ==(iconv_t)-1) then it should not call iconv_close(type).

I added a check in the patch, to only call iconv_close when it is not (iconv_t)-1

2010-12-10 22:40

 

patch-sope-core_NGExtensions_FdExt_subproj_NSString+Encoding_m (487 bytes)    
$OpenBSD$

fix abort(), when there was an error with iconv_open getting a conversion descriptor

--- sope-core/NGExtensions/FdExt.subproj/NSString+Encoding.m.orig	Tue Nov  2 15:12:13 2010
+++ sope-core/NGExtensions/FdExt.subproj/NSString+Encoding.m	Fri Dec 10 19:58:24 2010
@@ -256,7 +256,7 @@ static char *iconv_wrapper(id self, char *_src, unsign
   return outbuf;
   
  CLEAR_AND_RETURN:
-  if (type)
+  if (type && (type != (iconv_t)-1))
     iconv_close(type);
   
   if (outbuf) {
patch-sope-core_NGExtensions_FdExt_subproj_NSString+Encoding_m (487 bytes)   
gienger

gienger

2010-12-13 21:59

reporter   ~0001945

I can't reproduce this. I copied evil-mail.txt 1:1 in my IMAP-folder and this is the result:

188.105.130.106 - - [13/Dec/2010:22:58:08 GMT] "POST /SOGo/so/pop05579/Mail//0/folderINBOX/117864/view?noframe=1 HTTP/1.1" 200 937/0 0.352 2601 63% 0
Dec 13 22:58:11 sogod [29488]: <0x0x2ba2f6423c60[NSString]> iconv_wrapper: Could not handle iconv encoding. FromEncoding:WINDOWS-1252HTTP-EQUIVCONTENT-TYPE to encoding:UCS-2LE
Dec 13 22:58:11 sogod [29488]: <0x0x2ba2f4d5fac0[NGMimeType]> +[NGMimeType stringEncodingForCharset:]: unknown charset 'windows-1252http-equivContent-Type'
Dec 13 22:58:11 sogod [29488]: <0x0x2ba2f6423c60[NSString]> iconv_wrapper: Could not handle iconv encoding. FromEncoding:WINDOWS-1252HTTP-EQUIVCONTENT-TYPE to encoding:UCS-2LE
Dec 13 22:58:11 sogod [29488]: <0x0x2ba2f4d5fac0[NGMimeType]> +[NGMimeType stringEncodingForCharset:]: unknown charset 'windows-1252http-equivContent-Type'
Dec 13 22:58:11 sogod [29488]: <0x0x2ba2f6423c60[NSString]> iconv_wrapper: Could not handle iconv encoding. FromEncoding:WINDOWS-1252HTTP-EQUIVCONTENT-TYPE to encoding:UCS-2LE
Dec 13 22:58:11 sogod [29488]: <0x0x2ba2f4d5fac0[NGMimeType]> +[NGMimeType stringEncodingForCharset:]: unknown charset 'windows-1252http-equivContent-Type'
Dec 13 22:58:11 sogod [29488]: <0x0x2ba2f6423c60[NSString]> iconv_wrapper: Could not handle iconv encoding. FromEncoding:WINDOWS-1252HTTP-EQUIVCONTENT-TYPE to encoding:UCS-2LE
Dec 13 22:58:11 sogod [29488]: <0x0x2ba2f4d5fac0[NGMimeType]> +[NGMimeType stringEncodingForCharset:]: unknown charset 'windows-1252http-equivContent-Type'

2010-12-13 22:00

 

Bild 3.png (38,517 bytes)   
Bild 3.png (38,517 bytes)   
gienger

gienger

2010-12-13 22:01

reporter   ~0001946

Bild 3.png show the result in my SOGo installation.

Version 1.3.4, running on CentOS 5.5 with latest patches installed.
Latest rpmforge packets. Latest SOGo update.
x86_64 architecture.
buzzdee

buzzdee

2010-12-14 08:33

reporter   ~0001947

I don't know why it is not aborting on Linux. However, the OpenBSD malloc is different to others, not tolerating programming errors that stay uncovered on other systems. I think the A option (enabled by default) to OpenBSD malloc.conf causes the abort().
http://www.openbsd.org/cgi-bin/man.cgi?query=malloc.conf&amp;apropos=0&amp;sektion=0&amp;manpath=OpenBSD+Current&amp;arch=i386&amp;format=html
A ``Abort''. malloc() will coredump the process, rather than
tolerate internal inconsistencies or incorrect usage. This is
the default and a very handy debugging aid, since the core file
represents the time of failure, rather than when the bogus
pointer was used.

As far as I can see, my patch seems to be right. Not freeing sth. that was not allocated seems reasonable for me. Please let me know if I am wrong.
buzzdee

buzzdee

2011-04-13 11:37

reporter   ~0002375

could this be reviewed and commented, or even included if its fine? Shortly after a release is a good time to add new stuff, since the plenty of time for testing till the next release ;)
buzzdee

buzzdee

2011-05-05 22:29

reporter   ~0002430

Last edited: 2011-05-05 22:30

asking again, is there anything wrong with this patch?
patch still applies to 1.3.7 sources.
ludovic

ludovic

2011-06-15 20:54

administrator   ~0002580

Nothing wrong with the patch - will be included for 1.3.8.
ludovic

ludovic

2011-06-16 15:41

administrator   ~0002591

Patch pushed: http://mtn.inverse.ca/revision/diff/856965845eee02997e104f46f22a199238f9ed24/with/c209a0a647b14e436b77bc38e0b7b04cc2213d0d

Issue History

Date Modified Username Field Change
2010-12-01 19:06 buzzdee New Issue
2010-12-01 20:46 ludovic Note Added: 0001902
2010-12-01 21:12 buzzdee Note Added: 0001903
2010-12-01 21:13 buzzdee File Added: evil-mail.txt
2010-12-01 21:16 ludovic Note Added: 0001904
2010-12-01 21:17 ludovic File Added: Screen shot 2010-12-01 at 4.16.52 PM.png
2010-12-02 07:28 buzzdee Note Added: 0001908
2010-12-02 07:56 buzzdee Note Added: 0001909
2010-12-02 07:57 buzzdee File Added: evil-mail2.txt
2010-12-02 15:41 ludovic Note Added: 0001915
2010-12-02 18:22 buzzdee Note Added: 0001923
2010-12-10 22:37 buzzdee Note Added: 0001944
2010-12-10 22:40 buzzdee File Added: patch-sope-core_NGExtensions_FdExt_subproj_NSString+Encoding_m
2010-12-13 21:59 gienger Note Added: 0001945
2010-12-13 22:00 gienger File Added: Bild 3.png
2010-12-13 22:01 gienger Note Added: 0001946
2010-12-14 08:33 buzzdee Note Added: 0001947
2011-02-18 02:13 ludovic Status new => assigned
2011-02-18 02:13 ludovic Assigned To => ludovic
2011-04-13 11:37 buzzdee Note Added: 0002375
2011-05-05 22:29 buzzdee Note Added: 0002430
2011-05-05 22:30 buzzdee Note Edited: 0002430
2011-06-15 20:54 ludovic Note Added: 0002580
2011-06-15 20:54 ludovic Target Version => 1.3.8
2011-06-16 15:41 ludovic Note Added: 0002591
2011-06-16 15:41 ludovic Status assigned => resolved
2011-06-16 15:41 ludovic Resolution open => fixed