#78 mbsync keeps crashing

[Young-whan Song]

While running mbsync -a in macOS, it keeps crashing

Assertion failed: (min_len <= max_len), function socket_read, file socket.c, line 957.

Attaching the crash log

[Young-whan Song]

Looking at the source code, it seems that in src/drv_imap.c

static int
parse_imap_list( imap_store_t *ctx, char **sp, parse_list_state_t *sts )
{
...
               } else if (*s == '{') {
                        /* literal */
                        bytes = strtoul( s + 1, &s, 10 );
                        if (*s != '}' || *++s) {
                                sts->err = "malformed literal";
                                goto bail;
                        }
                        if (bytes >= INT_MAX) {
                                sts->err = "excessively large literal - THIS MIGHT BE AN ATTEMPT TO HACK YOU!";
                                goto bail;
                        }
                       ...

In above, when the bytes is 0,

                        if (!(p = socket_read( &ctx->conn, n, bytes, &n )))

this causes the assertion by

char *
socket_read( conn_t *conn, uint min_len, uint max_len, uint *out_len )
{
        assert( min_len > 0 );
        assert( min_len <= sizeof(conn->buf) );
        assert( min_len <= max_len );

in src/socket.c

[Young-whan Song]

Can someone please help to fix this issue properly?

[Oswald Buddenhagen]

please post the last lines of output from mbsync -a -Dn.

[Young-whan Song]

* 46 FETCH (UID 2432 FLAGS (\Seen))
* 47 FETCH (UID 3784 FLAGS (\Seen))
* 48 FETCH (UID 6005 FLAGS (\Seen))
* 49 FETCH (UID 6146 FLAGS (\Seen))
* 50 FETCH (UID 6147 FLAGS (\Seen))
* 51 FETCH (UID 6980 FLAGS (\Seen))
* 52 FETCH (UID 9897 FLAGS (\Seen))
25 OK Success
far side: 52 messages, 0 recent
Synchronizing...
>>> 26 UID FETCH 2214 (BODY.PEEK[])
(1 in progress) >>> 27 UID FETCH 2215 (BODY.PEEK[])
(2 in progress) >>> 28 UID FETCH 2218 (BODY.PEEK[])
(3 in progress) >>> 29 UID FETCH 2311 (BODY.PEEK[])
(4 in progress) >>> 30 UID FETCH 2335 (BODY.PEEK[])
(5 in progress) >>> 31 UID FETCH 2340 (BODY.PEEK[])
(6 in progress) >>> 32 UID FETCH 2373 (BODY.PEEK[])
(7 in progress) >>> 33 UID FETCH 2374 (BODY.PEEK[])
(8 in progress) >>> 34 UID FETCH 2375 (BODY.PEEK[])
(9 in progress) >>> 35 UID FETCH 2376 (BODY.PEEK[])
(10 in progress) >>> 36 UID FETCH 2384 (BODY.PEEK[])
(11 in progress) >>> 37 UID FETCH 2404 (BODY.PEEK[])
(12 in progress) >>> 38 UID FETCH 2405 (BODY.PEEK[])
(13 in progress) >>> 39 UID FETCH 2406 (BODY.PEEK[])
(14 in progress) >>> 40 UID FETCH 3784 (BODY.PEEK[])
(15 in progress) >>> 41 UID FETCH 6005 (BODY.PEEK[])
(16 in progress) >>> 42 UID FETCH 6146 (BODY.PEEK[])
(17 in progress) >>> 43 UID FETCH 6147 (BODY.PEEK[])
(18 in progress) >>> 44 UID FETCH 6980 (BODY.PEEK[])
(19 in progress) >>> 45 UID FETCH 9897 (BODY.PEEK[])
* 1 FETCH (UID 2214 BODY[] {0}
Assertion failed: (min_len <= max_len), function socket_read, file socket.c, line 957.
[1]    32101 abort      ./isync/1.5.0/bin/mbsync -a -Dn

@ossi here we go

[Oswald Buddenhagen]

ok, thanks. the message is clearly zero bytes in size, and i need to harden the code against such garbage.

[Oswald Buddenhagen]

can you check whether the attached patch is sufficient to produce a sensible result?

[Young-whan Song]

LGTM though. I wish this fix landed to melpa sooner.

[Oswald Buddenhagen]

did you review it only, or did you test it with a box that causes a crash without it? i didn't test it, as i don't have a suitably broken mail server set up currently.

[Young-whan Song]

I tested, and it produces another assertion:

* 50 FETCH (UID 6147 FLAGS (\Seen))
* 51 FETCH (UID 6980 FLAGS (\Seen))
* 52 FETCH (UID 9897 FLAGS (\Seen))
11 OK Success
far side: 52 messages, 0 recent
Synchronizing...
>>> 12 UID FETCH 2214 (BODY.PEEK[])
(1 in progress) >>> 13 UID FETCH 2215 (BODY.PEEK[])
(2 in progress) >>> 14 UID FETCH 2218 (BODY.PEEK[])
(3 in progress) >>> 15 UID FETCH 2311 (BODY.PEEK[])
(4 in progress) >>> 16 UID FETCH 2335 (BODY.PEEK[])
(5 in progress) >>> 17 UID FETCH 2340 (BODY.PEEK[])
(6 in progress) >>> 18 UID FETCH 2373 (BODY.PEEK[])
(7 in progress) >>> 19 UID FETCH 2374 (BODY.PEEK[])
(8 in progress) >>> 20 UID FETCH 2375 (BODY.PEEK[])
(9 in progress) >>> 21 UID FETCH 2376 (BODY.PEEK[])
(10 in progress) >>> 22 UID FETCH 2384 (BODY.PEEK[])
(11 in progress) >>> 23 UID FETCH 2404 (BODY.PEEK[])
(12 in progress) >>> 24 UID FETCH 2405 (BODY.PEEK[])
(13 in progress) >>> 25 UID FETCH 2406 (BODY.PEEK[])
(14 in progress) >>> 26 UID FETCH 3784 (BODY.PEEK[])
(15 in progress) >>> 27 UID FETCH 6005 (BODY.PEEK[])
(16 in progress) >>> 28 UID FETCH 6146 (BODY.PEEK[])
(17 in progress) >>> 29 UID FETCH 6147 (BODY.PEEK[])
(18 in progress) >>> 30 UID FETCH 6980 (BODY.PEEK[])
(19 in progress) >>> 31 UID FETCH 9897 (BODY.PEEK[])
* 1 FETCH (UID 2214 BODY[] {0}
Assertion failed: (min_len <= max_len), function socket_read, file socket.c, line 959.
[1]    11769 abort      mbsync -a -Dn

[Young-whan Song]

This is what I do for the workaround or patch, which is working for me.

Can you refer to the patch here for the hint?

[Oswald Buddenhagen]

it's somewhat surprising that your hack doesn't crash later on.

please try this updated patch.

[Young-whan Song]

Thank you, @Oswald

The last patch works for me.

Thanks,