I noticed a bunch of crashes when Gmail users tried to slurp up their
(empty) mailboxes. The problem is not noticed by clients though, but
it crashes the pop3 process.
POP3 session
S: +OK Ready.
C: USER user
S: +OK
C: PASS password
S: +OK Logged in.
C: UIDL
... server crash and disconnects ...
Resulting log
Jul 06 16:58:05 pop3(user): Panic: Trying to allocate 0 bytes
Jul 06 16:58:05 pop3(user): Error: Raw backtrace: 0xff1e6454 -> 0xff1e4f78 ->
0xff20689c -> 0x18240 -> 0x1843c -
> 0x185a0 -> 0x18a1c -> 0x1576c -> 0x159cc -> 0xff1fee6c -> 0xff200e24 ->
0xff1fef60 -> 0xff1d8010 -> 0x13584 -
> 0x1285c
Jul 06 16:58:14 pop3(user): Fatal: master: service(pop3): child 24972
killed with signal 6 (core dumps disabled)
GDB traceback:
#0 i_panic (format=0xff2302f8 "Trying to allocate %u bytes") at
failures.c:259
#1 0xff2068a4 in pool_alloconly_malloc (pool=0x60330, size=0) at
mempool-alloconly.c:259
#2 0x00018248 in client_uidls_save (client=0x54d28) at
pop3-commands.c:761
#3 0x00018444 in cmd_uidl_init (client=0x54d28, seq=0) at
pop3-commands.c:793
#4 0x000185a8 in cmd_uidl (client=0x54d28, args=0x19eb8 "") at
pop3-commands.c:824
#5 0x00018a24 in client_command_execute (client=0x54d28, name=0x2b550 "UIDL",
args=0x19eb8 "")
at pop3-commands.c:889
#6 0x00015774 in client_handle_input (client=0x54d28) at
pop3-client.c:629
#7 0x000159d4 in client_input (client=0x54d28) at pop3-client.c:682
#8 0xff1fee74 in io_loop_call_io (io=0x37298) at ioloop.c:379
#9 0xff200e2c in io_loop_handler_run (ioloop=0x34138) at
ioloop-poll.c:211
#10 0xff1fef68 in io_loop_run (ioloop=0x34138) at ioloop.c:398
#11 0xff1d8018 in master_service_run (service=0x33c88, callback=0x13120
<client_connected>)
at master-service.c:543
#12 0x0001358c in main (argc=1, argv=0xffbffe0c) at main.c:268
Some non-trivial changes in pop3-commands.c were done between 2.1.3 and
2.1.8 (expecially pop3_uidl_duplicates changes in 2.1.7). I guess
this bug has crept in there.
Joseph Tam <jtam.h...@gmail.com>
