mlmmj-process dies with "free(): invalid next size"

mlmmj-process dies with "free(): invalid next size"

[Christoph Wilke]

[-- Attachment #1: Type: text/plain, Size: 734 bytes --]

Hej!

As stated in the subject mlmmj-process dies with an
memory error, if the subject line of the mailfile
contains an equal sign ( = ).

After I found the error in my logs, I tried to run the
process by hand:

# ~/mlmmj/mlmmj-1.2.12-RC4/src/mlmmj-process -L /var/spool/mlmmj/test \
-m /var/spool/mlmmj/test/incoming/647f4170739768df
*** glibc detected *** free(): invalid next size (fast): 0x08054a40 ***
Aborted
#

I tested it with the attached mailfile -- error
the same file, but without the equal signs -- no error
the same file, but only an equal sign as subject -- error.

Further testing/checking showed, the bug was introduced in
RC3, because RC2 runs just fine.

Ciao
Chris

ps. The versions I used to test weren't patched.

[-- Attachment #2: 647f4170739768df --]
[-- Type: application/octet-stream, Size: 908 bytes --]

From chris@filmkreis.tu-darmstadt.de  Tue Nov  7 11:09:07 2006
Return-Path: <chris@filmkreis.tu-darmstadt.de>
X-Original-To: test@pc1.filmkreis.tu-darmstadt.de
Delivered-To: test@pc1.filmkreis.tu-darmstadt.de
Received: from localhost (localhost [127.0.0.1])
	by pc1.filmkreis.tu-darmstadt.de (Postfix) with ESMTP id 63F29946
	for <test@pc1.filmkreis.tu-darmstadt.de>; Tue,  7 Nov 2006 11:09:07 +0100 (CET)
Received: from pc1.filmkreis.tu-darmstadt.de ([127.0.0.1])
	by localhost (pc1.filmkreis.tu-darmstadt.de [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id CcmEtzPAegHB
	for <test@pc1.filmkreis.tu-darmstadt.de>;
	Tue,  7 Nov 2006 11:09:07 +0100 (CET)
Subject: ?iso-8859-1?Q?30_Minuten_und_1_Muskelkater_sp=E4ter?
Date: Tue, 7 Nov 2006 10:56:30 +0100
Message-ID: <AD4FD260F477F8488BCFFC4DD49B064333E27F@bla.local>
From: <chris@filmkreis.tu-darmstadt.de>
To: <test@pc1.filmkreis.tu-darmstadt.de>

test

Re: mlmmj-process dies with "free(): invalid next size"

[Mads Martin Joergensen]

* Christoph Wilke <chris@filmkreis.tu-darmstadt.de> [Nov 10. 2006 16:25]:
> ps. The versions I used to test weren't patched.

Can you please try RC4 with the latest patch from Morten?

-- 
Mads Martin Joergensen, http://mmj.dk
"Why make things difficult, when it is possible to make them cryptic
 and totally illogical, with just a little bit more effort?"
                                 -- A. P. J.

Re: mlmmj-process dies with "free(): invalid next size"

[Andrea Barisani]

On Sat, Nov 11, 2006 at 08:18:47PM +0100, Mads Martin Joergensen wrote:
> * Christoph Wilke <chris@filmkreis.tu-darmstadt.de> [Nov 10. 2006 16:25]:
> > ps. The versions I used to test weren't patched.
> 
> Can you please try RC4 with the latest patch from Morten?
> 
> -- 

We get this too: mlmmj-process: *** glibc detected *** free():
invalid next size (fast): 0x116383a8 ***

RC4 doesn't solve the issue (unless there's some patch against it that I'm
missing).

-- 
Andrea Barisani <lcars@gentoo.org>                            .*.
Gentoo Linux Infrastructure Developer                          V
                                                             (   )
PGP-Key 0x864C9B9E http://dev.gentoo.org/~lcars/pubkey.asc   (   )
    0A76 074A 02CD E989 CE7F AC3F DA47 578E 864C 9B9E        ^^_^^
      "Pluralitas non est ponenda sine necessitate"

Re: mlmmj-process dies with "free(): invalid next size"

[Mads Martin Joergensen]

* Andrea Barisani <lcars@gentoo.org> [Nov 11. 2006 20:54]:
> > > ps. The versions I used to test weren't patched.
> > 
> > Can you please try RC4 with the latest patch from Morten?
> 
> We get this too: mlmmj-process: *** glibc detected *** free():
> invalid next size (fast): 0x116383a8 ***
> 
> RC4 doesn't solve the issue (unless there's some patch against it that I'm
> missing).

There was this patch from Morten:

http://mlmmj.mmj.dk/~mortenp/patch-mlmmj-1.2.12_RC4-gethdrline.diff

-- 
Mads Martin Joergensen, http://mmj.dk
"Why make things difficult, when it is possible to make them cryptic
 and totally illogical, with just a little bit more effort?"
                                 -- A. P. J.

Re: mlmmj-process dies with "free(): invalid next size"

[Andrea Barisani]

On Sun, Nov 12, 2006 at 12:26:08PM +0100, Mads Martin Joergensen wrote:
> * Andrea Barisani <lcars@gentoo.org> [Nov 11. 2006 20:54]:
> > > > ps. The versions I used to test weren't patched.
> > > 
> > > Can you please try RC4 with the latest patch from Morten?
> > 
> > We get this too: mlmmj-process: *** glibc detected *** free():
> > invalid next size (fast): 0x116383a8 ***
> > 
> > RC4 doesn't solve the issue (unless there's some patch against it that I'm
> > missing).
> 
> There was this patch from Morten:
> 
> http://mlmmj.mmj.dk/~mortenp/patch-mlmmj-1.2.12_RC4-gethdrline.diff
>

Applied, let's see what happens. Also today I found to mlmmj-process at 100%
CPU battling with each other. I'll try to debug it if it happens again.

Cheers

> -- 
> Mads Martin Joergensen, http://mmj.dk
> "Why make things difficult, when it is possible to make them cryptic
>  and totally illogical, with just a little bit more effort?"
>                                  -- A. P. J.

-- 
Andrea Barisani <lcars@gentoo.org>                            .*.
Gentoo Linux Infrastructure Developer                          V
                                                             (   )
PGP-Key 0x864C9B9E http://dev.gentoo.org/~lcars/pubkey.asc   (   )
    0A76 074A 02CD E989 CE7F AC3F DA47 578E 864C 9B9E        ^^_^^
      "Pluralitas non est ponenda sine necessitate"

Re: mlmmj-process dies with "free(): invalid next size"

[Andrea Barisani]

On Sun, Nov 12, 2006 at 12:26:08PM +0100, Mads Martin Joergensen wrote:
> * Andrea Barisani <lcars@gentoo.org> [Nov 11. 2006 20:54]:
> > > > ps. The versions I used to test weren't patched.
> > > 
> > > Can you please try RC4 with the latest patch from Morten?
> > 
> > We get this too: mlmmj-process: *** glibc detected *** free():
> > invalid next size (fast): 0x116383a8 ***
> > 
> > RC4 doesn't solve the issue (unless there's some patch against it that I'm
> > missing).
> 
> There was this patch from Morten:
> 
> http://mlmmj.mmj.dk/~mortenp/patch-mlmmj-1.2.12_RC4-gethdrline.diff
> 
> -- 
> Mads Martin Joergensen, http://mmj.dk
> "Why make things difficult, when it is possible to make them cryptic
>  and totally illogical, with just a little bit more effort?"
>                                  -- A. P. J.

Ok I can confirm that with the patch we are still getting the error.

-- 
Andrea Barisani <lcars@gentoo.org>                            .*.
Gentoo Linux Infrastructure Developer                          V
                                                             (   )
PGP-Key 0x864C9B9E http://dev.gentoo.org/~lcars/pubkey.asc   (   )
    0A76 074A 02CD E989 CE7F AC3F DA47 578E 864C 9B9E        ^^_^^
      "Pluralitas non est ponenda sine necessitate"

Re: mlmmj-process dies with "free(): invalid next size"

[Morten K. Poulsen]

Hi Christoph

"Christoph Wilke" <chris@filmkreis.tu-darmstadt.de> wrote:
> # ~/mlmmj/mlmmj-1.2.12-RC4/src/mlmmj-process -L /var/spool/mlmmj/test \
> -m /var/spool/mlmmj/test/incoming/647f4170739768df
> *** glibc detected *** free(): invalid next size (fast): 0x08054a40 ***
> Aborted

Ouch. That smells like a double-free.

> I tested it with the attached mailfile -- error
> the same file, but without the equal signs -- no error

I am unable to reproduce the error with the attached mailfile. The bug might depend on a specific setting. Could you send me (a link to) a tarball of the listdir/control/ directory?

> the same file, but only an equal sign as subject -- error.

There was a bug in cleanquotedp() that would cause it to read past the end of its buffer, if there was an equal sign within the last two bytes of the subject.

I have fixed that issue now:

http://mlmmj.mmj.dk/~mortenp/patch-mlmmj-1.2.12_RC4-cleanquotedp.diff

However, I belive that this is a seperate bug. Was the glibc error message for this case the same as the error message for the first case?

> Further testing/checking showed, the bug was introduced in
> RC3, because RC2 runs just fine.

Strange. I don't see how the change in gethdrline() could have anything to do with this, but I might be wrong.

Could you run this again (with the patch) with Valgrind?

Morten

-- 
Morten K. Poulsen <morten@afdelingp.dk>
http://www.afdelingp.dk/

Re: mlmmj-process dies with "free(): invalid next size"

[Christoph Wilke]

On Sun, November 12, 2006 22:32, Morten K. Poulsen wrote:
>
> Hi Christoph
>
> "Christoph Wilke" <chris@filmkreis.tu-darmstadt.de> wrote:
>> # ~/mlmmj/mlmmj-1.2.12-RC4/src/mlmmj-process -L
>> /var/spool/mlmmj/test \
>> -m /var/spool/mlmmj/test/incoming/647f4170739768df
>> *** glibc detected *** free(): invalid next size (fast): 0x08054a40
>> ***
>> Aborted
>
> Ouch. That smells like a double-free.
>
>> I tested it with the attached mailfile -- error
>> the same file, but without the equal signs -- no error
>
> I am unable to reproduce the error with the attached mailfile. The bug
> might depend on a specific setting. Could you send me (a link to) a
> tarball of the listdir/control/ directory?

I think you are right, strace showed me, it crashes during
the insertion of the prefix.
I forgot to mention this, sorry.

I placed the control directory online here:
https://130.83.185.211/mlmmj/test_control.tar.bz2

>
>> the same file, but only an equal sign as subject -- error.
>
> There was a bug in cleanquotedp() that would cause it to read past the
> end of its buffer, if there was an equal sign within the last two
> bytes of the subject.
>
> I have fixed that issue now:
>
> http://mlmmj.mmj.dk/~mortenp/patch-mlmmj-1.2.12_RC4-cleanquotedp.diff
>
> However, I belive that this is a seperate bug. Was the glibc error
> message for this case the same as the error message for the first
> case?

I will test this later. Not much time at the moment...

>
>> Further testing/checking showed, the bug was introduced in
>> RC3, because RC2 runs just fine.
>
> Strange. I don't see how the change in gethdrline() could have
> anything to do with this, but I might be wrong.
>
> Could you run this again (with the patch) with Valgrind?

I did, and it works now for me.

>
> Morten

Ciao
Chris

Re: mlmmj-process dies with "free(): invalid next size"

[Christoph Wilke]

On Mon, November 13, 2006 16:00, Christoph Wilke wrote:
> On Sun, November 12, 2006 22:32, Morten K. Poulsen wrote:

[...]

>>
>>> I tested it with the attached mailfile -- error
>>> the same file, but without the equal signs -- no error

[...]

>>> the same file, but only an equal sign as subject -- error.
>>
>> There was a bug in cleanquotedp() that would cause it to read past
>> the
>> end of its buffer, if there was an equal sign within the last two
>> bytes of the subject.
>>
>> I have fixed that issue now:
>>
>> http://mlmmj.mmj.dk/~mortenp/patch-mlmmj-1.2.12_RC4-cleanquotedp.diff
>>
>> However, I belive that this is a seperate bug. Was the glibc error
>> message for this case the same as the error message for the first
>> case?
>
> I will test this later. Not much time at the moment...

With the full subject I get:

# /root/mlmmj/mlmmj-1.2.12-RC4/src/mlmmj-process -L
/var/spool/mlmmj/test -m
/var/spool/mlmmj/test/incoming/647f4170739768df
*** glibc detected *** free(): invalid next size (normal): 0x08055260 ***
Aborted
#

with the equal sign, it results in:

# /root/mlmmj/mlmmj-1.2.12-RC4/src/mlmmj-process -L
/var/spool/mlmmj/test -m
/var/spool/mlmmj/test/incoming/647f4170739768df
*** glibc detected *** free(): invalid next size (fast): 0x080551c8 ***
Aborted
#

Ciao
Chris