Certain mails will crash imapd if using server side threading

[brong]

From: Øyvind Kolbu Bugzilla-Id: 3463 Version: 2.4.x (next) Owner: Bron Gondwana

[brong]

From: Øyvind Kolbu

Some email will consistently crash imapd when using server side threading, as shown in the example below. This bug dates back at least as far as 2.2.12.

imtest -t '' -m login -a oktest -u oktest imap-sg00

S: * OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE STARTTLS AUTH=PLAIN SASL-IR] mail-utv2.uio.no Cyrus IMAP git2.4.8+0 server read [...] . SELECT INBOX.problem-eposter

• 5 EXISTS
• 0 RECENT
• FLAGS (\Answered \Flagged \Draft \Deleted \Seen NonJunk)
• OK [PERMANENTFLAGS (\Answered \Flagged \Draft \Deleted \Seen NonJunk *)] Ok
• OK [UNSEEN 1] Ok
• OK [UIDVALIDITY 1304427394] Ok
• OK [UIDNEXT 6] Ok
• OK [HIGHESTMODSEQ 6] Ok
• OK [URLMECH INTERNAL] Ok . OK [READ-WRITE] Completed . UID THREAD REFERENCES utf-8 ALL Connection closed.

[brong]

Attachment-Id: 1387 From: Øyvind Kolbu Type: application/x-gzip File: problem-mails.tar.gz

The five mails which crashes imapd every time

[brong]

From: Bron Gondwana

Taking this one so I can look at it!

[brong]

From: Bron Gondwana

Goodness, there are multiple bugs here. Pushing back to 2.4-next because this is too big to solve right now.

[brong]

From: Bron Gondwana

Grah - I hate how Bugzilla bounces you to the next bug in your search when you make a comment on a bug. Re-pasting:

So these messages are all part of one thread, as follows:

missing parent: <57E6ED712CD80847B272D4DE9CF3DBB201103266057B@HV3KD026.ad.rikshospitalet.no> (mentioned by all other emails in references, but not present in folder)

5: <7A5F57FD436E6648AAA27478B1CF09C1CA90C1CDC0@HV3KD026.ad.rikshospitalet.no> 4: <86DD6BD7881AE1418C0E6907C2361B5101A5968F2596@HV3KC026.ad.rikshospitalet.no> 3: <7A5F57FD436E6648AAA27478B1CF09C1CA90CD3186@HV3KD026.ad.rikshospitalet.no> 2: <61F03CD81C6119419EBA24B05F3E3A5B0113FF61@mr3k6001.ad.medicalresearch.no> 1: <57E6ED712CD80847B272D4DE9CF3DBB201103266057E@HV3KD026.ad.rikshospitalet.no>

And the thread is

(missing (5 (4 (1)(2 (3)))))

3 is a child of 2 2 and 1 are children of 4 4 is a child of 5 5 is a child of the missing message

One problem is that references headers aren't properly decoded over line wraps:

(gdb) p msgdata->ref[0] $19 = 0x180f150 "<57E6ED712CD80847B272D4DE9CF3DBB201103266057B@HV3KD026.ad.riksho\r\n\tspitalet.no>" (gdb) p msgdata->ref[1] $20 = 0x180f1b0 "<7A5F57FD436E6648AAA27478B1CF09C1CA90C1CDC0@HV3KD026.ad.rikshos\r\n\tpitalet.no>" (gdb) p msgdata->ref[2] $21 = 0x180f210 "<86DD6BD7881AE1418C0E6907C2361B5101A5968F2596@HV3KC026.ad.rikshospitalet.no>"

I don't know if this is the only cause - but later the is lots of code which assumes that every node in the Thread will have either a msgdata or a child with a msgdata. If that condition fails, Cyrus will crash in multiple places.

[brong]

From: Bron Gondwana

David Carter pointed out on the mailing list that he has just hit this bug as well, and found the old report.

This bug has been marked as a duplicate of bug 2772

[brong]

From: Jeroen van Meeuwen (Kolab Systems)

Targeted for inclusion in 2.4.11