[exim-dev] [Bug 1671] segfault after delivery

Top Page
This message is part of the following thread:
M+-+++++++++++++\the complete thread tree sorted by date
MM.MMMMMMMMMMMMMMadmin at <-
.M\admin at ->
Delete this message
Reply to this message
Author: admin
Date:  
To: exim-dev
Subject: [exim-dev] [Bug 1671] segfault after delivery
https://bugs.exim.org/show_bug.cgi?id=1671

--- Comment #2 from Wolfgang Breyha <wbreyha@???> ---
I was able to produce coredumps with full debug info... I did that by adding
iptables DROP for well known MX hosts of my own domains and queuing some mails
caused by the timeouts.

I had 3 emails for 2 domains in the queue.

After removal of the iptables DROP the queuerunner came by and delivered 3
messages successfully.... after some minutes another, fresh, mail for the same
destination arrived ... and crashed on delivery.... 

Program terminated with signal 11, Segmentation fault.
#0  0x080c2923 in string_copy (s=0x0) at string.c:421
421    int len = Ustrlen(s) + 1;
(gdb) bt
#0  0x080c2923 in string_copy (s=0x0) at string.c:421
#1  0x080685fb in deliver_make_addr (address=0x0, copy=1) at deliver.c:106
#2  0x080ed936 in smtp_local_identity (sender=0x0, tblock=0x0) at smtp.c:1244
#3  0x080ed9f0 in smtp_are_same_identities (message_id=0x9aa21e0
"1ZRi1e-0008So-Oa", s_compare=0xbff1f2f4)
    at smtp.c:1282
#4  0x080c91e8 in transport_check_waiting (transport_name=0x999f460
"remote_smtp", 
    hostname=0x99ae910 "zidmx3.univie.ac.at", local_message_max=500,
new_message_id=0xbff23307 "", more=0xbff20300, 
    oicf_func=0x80ed9b9 <smtp_are_same_identities>, oicf_data=0xbff1f2f4) at
transport.c:1768
#5  0x080f09d7 in smtp_deliver (addrlist=0x99a3f90, host=0x99ae9e8,
host_af=<value optimized out>, port=25, 
    interface=0x99aeb08 "192.168.5.1", tblock=0x999f398,
message_defer=0xbff23c00, suppress_tls=0) at smtp.c:2761
#6  0x080f1a7d in smtp_transport_entry (tblock=0x999f398, addrlist=0x99a3f90)
at smtp.c:3587
#7  0x0806d218 in do_remote_deliveries (fallback=0) at deliver.c:4290
#8  0x08070a2b in deliver_message (id=0xbff65d2c "1ZRi86-0001Q1-50", forced=0,
give_up=0) at deliver.c:6610
#9  0x0807bdca in main (argc=3, cargv=Cannot access memory at address 0x3
) at exim.c:4565


The message which is referenced by smtp_are_same_identities()
(1ZRi1e-0008So-Oa) came in while the DROP was active and got deferred by "retry
time not reached for any host"
Aug 18 16:38:12 moorhuhn exim[32538]: 2015-08-18 16:38:12 1ZRi1e-0008So-Oa <=
ottoma.....@hidden_domain1

It was delivered by a queuerunner after the DROP was removed...
Aug 18 16:41:08 moorhuhn exim[2667]: 2015-08-18 16:41:08 Start queue run:
pid=2667
first another mail waiting for this host got delivered...
Aug 18 16:41:10 moorhuhn exim[2669]: 2015-08-18 16:41:10 1ZRi0n-0008GX-MC =>
echo@??? ...
Aug 18 16:41:10 moorhuhn exim[2669]: 2015-08-18 16:41:10 1ZRi0n-0008GX-MC
Completed QT=3m57s

then ....
Aug 18 16:41:11 moorhuhn exim[2672]: 2015-08-18 16:41:11 1ZRi1e-0008So-Oa =>
u...@otherdomain
Aug 18 16:41:11 moorhuhn exim[2672]: 2015-08-18 16:41:11 1ZRi1e-0008So-Oa
Completed QT=3m5s

and another one waiting...
Aug 18 16:41:11 moorhuhn exim[2678]: 2015-08-18 16:41:11 1ZRhxs-0007dc-Bp =>
echo@???...
Aug 18 16:41:11 moorhuhn exim[2678]: 2015-08-18 16:41:11 1ZRhxs-0007dc-Bp
Completed QT=6m59s
Aug 18 16:41:11 moorhuhn exim[2667]: 2015-08-18 16:41:11 End queue run:
pid=2667

Still everything went well... but minutes later a fresh email came in...
Aug 18 16:44:48 moorhuhn exim[5457]: 2015-08-18 16:44:48 1ZRi86-0001Q1-50 <=
chris...@hidden_domain1
Aug 18 16:44:49 moorhuhn exim[5468]: 2015-08-18 16:44:49 1ZRi86-0001Q1-50 Spool
file 1ZRi1e-0008So-Oa-D not found
Aug 18 16:44:49 moorhuhn exim[5466]: 2015-08-18 16:44:49 1ZRi86-0001Q1-50 ==
u...@otherdomain R=dnslookup T=remote_smtp defer (-1): smtp transport process
returned non-zero status 0x008b: terminated by signal 11
Aug 18 16:44:49 moorhuhn exim[5466]: 2015-08-18 16:44:49 1ZRi86-0001Q1-50
Frozen

and crashed after successfully delivering it to the destination (verified at
the other end)! Meaning the "==" logentry is wrong. "exim -bp" output as well
showing it not with a "D" for delivered.

As already noticed on exim-users by somebody else.... the queue-ID in question
and also the other two IDs delivered by the queuerunner are still in the
wait-remote_smtp DB:
# exim_dumpdb /var/spool/exim/ wait-remote_smtp|grep 1ZRi1e-0008So-Oa
zidmx3.univie.ac.at 1ZRhxs-0007dc-Bp 1ZRi0n-0008GX-MC 1ZRi1e-0008So-Oa
zidmx1.univie.ac.at 1ZRhxs-0007dc-Bp 1ZRi0n-0008GX-MC 1ZRi1e-0008So-Oa
zidmx2.univie.ac.at 1ZRhxs-0007dc-Bp 1ZRi0n-0008GX-MC 1ZRi1e-0008So-Oa

I'll keep exim binary coredumps, queue files, .... for a while

--
You are receiving this mail because:
You are on the CC list for the bug.
This message was posted to the following mailing lists:
Exim-dev
Mailing List Info | Nearby Messages		<-[exim-dev] [Bug 1671] segfault after delivery[exim-dev] [Bug 1671] segfault after delivery->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)