Menu
▾
▴
squirrelmail-imapproxy
|
From: Emmanuel D. <ma...@ne...> - 2014-01-22 14:11:10
|
Hi
Using the latest source from SVN, I get rare memry faults:
#0 0xbb7d4f4c in ssl3_shutdown () from /usr/lib/libssl.so.10
#1 0xbb7c5b0d in SSL_shutdown () from /usr/lib/libssl.so.10
#2 0x0804a671 in _ICC_Invalidate (ICC=0xbb318580) at ./src/icc.c:270
#3 0x0804a6ca in ICC_Invalidate (ICC=0xbb318580) at ./src/icc.c:284
#4 0x08050b2e in cmd_login (LiteralLogin=<optimized out>,
Tag=<optimized out>, Password=<optimized out>, Username=<optimized out>,
Client=<optimized out>, passlen=<optimized out>) at ./src/request.c:1093
#5 HandleRequest (clientsd=12) at ./src/request.c:2164
#6 0xbb5e24ea in ?? () from /usr/lib/libpthread.so.1
#7 0xbb533ea0 in ___lwp_park50 () from /lib/libc.so.12
#8 0xbae00000 in ?? ()
#9 0xbb5e26fa in pthread_create () from /usr/lib/libpthread.so.1
#10 0x0804c332 in main (argc=5, argv=0xbf7fecd4) at ./src/main.c:714
The SSL handle looks sane:
(gdb) frame 2
#2 0x0804a671 in _ICC_Invalidate (ICC=0xbb318580) at ./src/icc.c:270
270 SSL_shutdown( ICC->server_conn->tls );
(gdb) print *ICC->server_conn->tls
$1 = {version = 771, type = 4096, method = 0xbb7e1420, rbio = 0xb9b104c0,
wbio = 0xb9b104c0, bbio = 0x0, rwstate = 1, in_handshake = 0,
handshake_func = 0xbb7aef46 <ssl3_connect>, server = 0, new_session = 0,
quiet_shutdown = 0, shutdown = 3, state = 3, rstate = 240, init_buf = 0x0,
init_msg = 0xb9bd5004, init_num = 0, init_off = 0,
(...)
--
Emmanuel Dreyfus
ma...@ne...
|
|
From: Emmanuel D. <ma...@ne...> - 2014-01-22 15:27:22
|
On Wed, Jan 22, 2014 at 02:11:03PM +0000, Emmanuel Dreyfus wrote: > The SSL handle looks sane: But it is not always the case: #0 0xbb7d4f4c in ssl3_shutdown () from /usr/lib/libssl.so.10 #1 0xbb7c5b0d in SSL_shutdown () from /usr/lib/libssl.so.10 #2 0x0804a501 in _ICC_Recycle (Expiration=500) at ./src/icc.c:145 #3 0x0804a5ef in ICC_Recycle_Loop () at ./src/icc.c:231 #4 0xbb5e24ea in ?? () from /usr/lib/libpthread.so.1 #5 0xbb533ea0 in ___lwp_park50 () from /lib/libc.so.12 #6 0xbb000000 in ?? () #7 0xbb5e26fa in pthread_create () from /usr/lib/libpthread.so.1 #8 0x0804c332 in main (argc=5, argv=0xbf7fec8c) at ./src/main.c:714 (gdb) frame 2 #2 0x0804a501 in _ICC_Recycle (Expiration=500) at ./src/icc.c:145 145 SSL_shutdown( HashEntry->server_conn->tls ); (gdb) print *HashEntry->server_conn->tls Cannot access memory at address 0xbb23c520 An intersting point on this one: it was a debug instance, with only a single user. -- Emmanuel Dreyfus ma...@ne... |
|
From: Paul L. <pa...@sq...> - 2014-01-22 19:48:25
|
On Wed, Jan 22, 2014 at 7:27 AM, Emmanuel Dreyfus <ma...@ne...> wrote: > On Wed, Jan 22, 2014 at 02:11:03PM +0000, Emmanuel Dreyfus wrote: >> The SSL handle looks sane: > > But it is not always the case: > > #0 0xbb7d4f4c in ssl3_shutdown () from /usr/lib/libssl.so.10 > #1 0xbb7c5b0d in SSL_shutdown () from /usr/lib/libssl.so.10 > #2 0x0804a501 in _ICC_Recycle (Expiration=500) at ./src/icc.c:145 > #3 0x0804a5ef in ICC_Recycle_Loop () at ./src/icc.c:231 > #4 0xbb5e24ea in ?? () from /usr/lib/libpthread.so.1 > #5 0xbb533ea0 in ___lwp_park50 () from /lib/libc.so.12 > #6 0xbb000000 in ?? () > #7 0xbb5e26fa in pthread_create () from /usr/lib/libpthread.so.1 > #8 0x0804c332 in main (argc=5, argv=0xbf7fec8c) at ./src/main.c:714 > (gdb) frame 2 > #2 0x0804a501 in _ICC_Recycle (Expiration=500) at ./src/icc.c:145 > 145 SSL_shutdown( HashEntry->server_conn->tls ); > (gdb) print *HashEntry->server_conn->tls > Cannot access memory at address 0xbb23c520 > > An intersting point on this one: it was a debug instance, with only > a single user. Hmm, I cannot reproduce. Please keep us informed what you find, if anything.... -- Paul Lesniewski SquirrelMail Team Please support Open Source Software by donating to SquirrelMail! http://squirrelmail.org/donate_paul_lesniewski.php |
|
From: <ma...@ne...> - 2014-01-26 02:26:39
|
Paul Lesniewski <pa...@sq...> wrote:
> Hmm, I cannot reproduce. Please keep us informed what you find, if
> anything....
I did not find the activity pattern that triggers it. It happens roughly once
a day.
I tried fixing an unchecked malloc, but it did not help. You can still check
the patch in, since it is a real bug, but not the one that triggers this
crash.
--- src/imapcommon.c.orig 2014-01-23 10:02:24.000000000 +0100
+++ src/imapcommon.c 2014-01-23 10:03:50.000000000 +0100
@@ -675,8 +675,13 @@
* didn't match.
* Open a connection to the IMAP server so we can attempt to login
*/
Server.conn = ( ICD_Struct * ) malloc( sizeof ( ICD_Struct ) );
+ if (Server.conn == NULL) {
+ syslog( LOG_ERR, "%s: malloc() failed: %s -- Exiting.", __func__,
+ strerror( errno ) );
+ exit( 1 );
+ }
memset( Server.conn, 0, sizeof ( ICD_Struct ) );
/* As a new connection, the ICD is not 'reused' */
Server.conn->reused = 0;
--
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
ma...@ne...
|
|
From: Thorsten S. <sch...@tu...> - 2014-01-30 17:38:56
|
Hi, I do also see crashes. Did you check your logfiles? I get the following in front of the crashes: [...] > Jan 30 08:33:52 xxx in.imapproxyd[1791]: Expiring server sd [-1] Might it be a call to SSL_shutdown() in _ICC_Recycle() after SSL_free() has already been called in _ICC_Invalidate()? Maybe _ICC_Invalidate() needs some redesign, either to do the full job and close sd, free tls+server_conn, adjust the next pointer and put ICC into free list or to give _ICC_Recycle() just a clue that this ICC is recyclable but prevent others from using it until then? On 26.01.2014 03:30, Emmanuel Dreyfus wrote: > Paul Lesniewski <pa...@sq...> wrote: > >> Hmm, I cannot reproduce. Please keep us informed what you find, if >> anything.... > |
|
From: Emmanuel D. <ma...@ne...> - 2014-03-13 16:02:24
|
On Wed, Jan 22, 2014 at 11:47:56AM -0800, Paul Lesniewski wrote: > Hmm, I cannot reproduce. Please keep us informed what you find, if anything.... Here is what I found: - cmd_authenticate_login() or cmd_login() call ICC_Invalidate() - ICC_Invalidate() frees the TLS context => XXX nobody moves the ICC to the free list - ICC_Recycle() uses the ICC for IMAP_Write()/SSL_shutdown() and crashes. How should we fix it? ICC_Invalidate() moves the ICC to the free list, or ICC_Recycle() checks for (ICC->server_conn->sd != -1) ? -- Emmanuel Dreyfus ma...@ne... |
|
From: Emmanuel D. <ma...@ne...> - 2014-03-14 08:57:16
|
On Thu, Mar 13, 2014 at 03:44:54PM +0000, Emmanuel Dreyfus wrote:
> - cmd_authenticate_login() or cmd_login() call ICC_Invalidate()
> - ICC_Invalidate() frees the TLS context
> => XXX nobody moves the ICC to the free list
> - ICC_Recycle() uses the ICC for IMAP_Write()/SSL_shutdown() and crashes.
Here is a fix proposal:
--- src/icc.c.orig
+++ src/icc.c
@@ -134,21 +134,27 @@
Expiration ) )
{
syslog(LOG_INFO, "Expiring server sd [%d]", HashEntry->server_conn->sd);
/* Logout of the IMAP server and close the server socket. */
-
- IMAP_Write( HashEntry->server_conn, "VIC20 LOGOUT\r\n",
- strlen( "VIC20 LOGOUT\r\n" ) );
+ if (HashEntry->server_conn->sd != -1) {
+ IMAP_Write( HashEntry->server_conn, "VIC20 LOGOUT\r\n",
+ strlen( "VIC20 LOGOUT\r\n" ) );
#if HAVE_LIBSSL
- if ( HashEntry->server_conn->tls )
- {
- SSL_shutdown( HashEntry->server_conn->tls );
- SSL_free( HashEntry->server_conn->tls );
- }
+ if ( HashEntry->server_conn->tls )
+ {
+ SSL *tls = HashEntry->server_conn->tls;
+ HashEntry->server_conn->tls = (SSL *)0xdeadbeef;
+
+ SSL_shutdown( tls ),
+ SSL_free( tls );
+ }
#endif
- close( HashEntry->server_conn->sd );
- free( HashEntry->server_conn );
+ close( HashEntry->server_conn->sd );
+ free( HashEntry->server_conn );
+ } else {
+ syslog(LOG_INFO, "Expiring freed ICC");
+ }
/*
* This was being counted as a "retained" connection. It was
* open, but not in use. Now that we're closing it, we have
--
Emmanuel Dreyfus
ma...@ne...
|
|
From: <ma...@ne...> - 2014-03-17 05:06:38
|
Emmanuel Dreyfus <ma...@ne...> wrote:
> > - cmd_authenticate_login() or cmd_login() call ICC_Invalidate()
> > - ICC_Invalidate() frees the TLS context
> > => XXX nobody moves the ICC to the free list
> > - ICC_Recycle() uses the ICC for IMAP_Write()/SSL_shutdown() and crashes.
>
> Here is a fix proposal:
I have not observed any crash since I applied the patch.
Please note that there is some debuging aid left:
HashEntry->server_conn->tls = (SSL *)0xdeadbeef;
No need to retain that change, of course.
--
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
ma...@ne...
|
|
From: Paul L. <pa...@sq...> - 2016-09-14 01:45:16
|
On 2014年03月16日 22:11, Emmanuel Dreyfus wrote: > Emmanuel Dreyfus <ma...@ne...> wrote: > >>> - cmd_authenticate_login() or cmd_login() call ICC_Invalidate() >>> - ICC_Invalidate() frees the TLS context >>> => XXX nobody moves the ICC to the free list >>> - ICC_Recycle() uses the ICC for IMAP_Write()/SSL_shutdown() and crashes. >> >> Here is a fix proposal: > > I have not observed any crash since I applied the patch. Emmanuel, sorry for the great delay. This fix has been added. Thank you very much! -- Paul Lesniewski SquirrelMail Team Please support Open Source Software by donating to SquirrelMail! http://squirrelmail.org/donate_paul_lesniewski.php |
|
From: <ma...@ne...> - 2014-03-26 04:59:29
|
Hi I heard no news about the patch that fixes crashes in SSL_shutdown because of a double free. Is anyone reading this list. Here is it again: http://ftp.espci.fr/shadow/manu/imapproxy-crash.patch -- Emmanuel Dreyfus http://hcpnet.free.fr/pubz ma...@ne... |
|
From: Paul L. <pa...@sq...> - 2014-03-26 06:57:48
|
Yes, and very appreciative of your efforts. Will respond soon, thanks for your patience. On Tuesday, March 25, 2014, Emmanuel Dreyfus <ma...@ne...> wrote: > Hi > > I heard no news about the patch that fixes crashes in SSL_shutdown > because of a double free. Is anyone reading this list. > > Here is it again: > http://ftp.espci.fr/shadow/manu/imapproxy-crash.patch > > -- > Emmanuel Dreyfus > http://hcpnet.free.fr/pubz > ma...@ne... <javascript:;> > -- Paul Lesniewski SquirrelMail Team Please support Open Source Software by donating to SquirrelMail! http://squirrelmail.org/donate_paul_lesniewski.php |
Thanks for helping keep SourceForge clean.
X