[exim] Segfault in perform_ldap_search() in exim-4.90.1

Top Page
Delete this message
Reply to this message
Author: Matthew Slowe
Date:  
To: exim-users
Subject: [exim] Segfault in perform_ldap_search() in exim-4.90.1
Hi,

We've updated to the EPEL shipped 4.90.1 (exim-4.90.1-2.el7.x86_64) from
exim-4.89-4.el7.x86_64 and have started seeing frequent segfaults.

Mar 8 12:26:59 americano kernel: exim[1607]: segfault at 8 ip 0000560dd32915d0 sp 00007fffcef352b0 error 4 in exim[560dd31b1000+133000]

Stoking up gdb for live coredump shows:

Core was generated by `exim -bd -d+all'.
Program terminated with signal 11, Segmentation fault.
#0  0x0000560dd32915d0 in perform_ldap_search (ldap_url=<optimized out>, server=<optimized out>, server@entry=0x7fffcef354a0 "localhost", s_port=<optimized out>, search_type=search_type@entry=1, res=res@entry=0x7fffcef35720, 
    errmsg=errmsg@entry=0x560dd34fa778 <search_error_message>, defer_break=defer_break@entry=0x7fffcef35488, user=user@entry=0x560dd48f4810 "uid=<removed>", password=password@entry=0x560dd48f4840 "<removed>", 
    sizelimit=sizelimit@entry=0, timelimit=timelimit@entry=0, tcplimit=tcplimit@entry=0, dereference=dereference@entry=0, referrals=referrals@entry=0x7f6b07d321e0 <ber_pvt_opt_on>) at ldap.c:1076
1076    DEBUG(D_lookup) debug_printf("LDAP search: returning: %s\n", data->s);



We can reliably reproduce the segfault using "exim -bt <address>" too.


This line appears to have changed between the two versions:

@@ -1077,8 +1073,8 @@ if (!attribute_found)

/* Otherwise, it's all worked */

-DEBUG(D_lookup) debug_printf("LDAP search: returning: %s\n", data);
-*res = data;
+DEBUG(D_lookup) debug_printf("LDAP search: returning: %s\n", data->s);
+*res = data->s;

RETURN_OK:
if (result != NULL) ldap_msgfree(result);

The other references to data in ldap.c seem to be wrapped in if(data) but not this one...

(gdb) print data
$1 = (gstring *) 0x0

Is this a simple bug fixed by wrapping the block in if(data)?

Entire stack trace below:

#0  0x0000560dd32915d0 in perform_ldap_search (ldap_url=<optimized out>, server=<optimized out>, server@entry=0x7fffcef354a0 "localhost", s_port=<optimized out>, search_type=search_type@entry=1, res=res@entry=0x7fffcef35720, 
    errmsg=errmsg@entry=0x560dd34fa778 <search_error_message>, defer_break=defer_break@entry=0x7fffcef35488, user=user@entry=0x560dd48f4810 "<removed>", password=password@entry=0x560dd48f4840 "<removed>", 
    sizelimit=sizelimit@entry=0, timelimit=timelimit@entry=0, tcplimit=tcplimit@entry=0, dereference=dereference@entry=0, referrals=referrals@entry=0x7f6b07d321e0 <ber_pvt_opt_on>) at ldap.c:1076
#1  0x0000560dd3291ef4 in control_ldap_search (ldap_url=<optimized out>, search_type=1, res=0x7fffcef35720, errmsg=0x560dd34fa778 <search_error_message>) at ldap.c:1328
#2  0x0000560dd3246dc6 in internal_search_find (handle=handle@entry=0x560dd48f4230, filename=filename@entry=0x0, keystring=<optimized out>, 
    keystring@entry=0x560dd490eab0 "user=\"<removed>\" pass=\"<removed>\" ldap:///o=kent.ac.uk,o=uni?unikentmailid?sub?(&(objectClass=mailRecipient)(!(inetUserStatus=deleted))(mailAlternateAddress=smtp:t"...)
    at search.c:522
#3  0x0000560dd32478ce in search_find (handle=0x560dd48f4230, filename=filename@entry=0x0, 
    keystring=keystring@entry=0x560dd490eab0 "user=\"<removed>\" pass=\"<removed>\" ldap:///o=kent.ac.uk,o=uni?unikentmailid?sub?(&(objectClass=mailRecipient)(!(inetUserStatus=deleted))(mailAlternateAddress=smtp:t"..., partial=-1, affix=0x0, affixlen=99, starflags=0, expand_setup=expand_setup@entry=0x7fffcef358f8) at search.c:671
#4  0x0000560dd32129c7 in expand_string_internal (
    string=0x560dd48b8240 "${lookup ldap {user=\"<removed>\" pass=\"<removed>\" ldap:///o=kent.ac.uk,o=uni?unikentmailid?sub?(&(objectClass=mailRecipient)(!(inetUserStatus=deleted))(mailAlternat"..., 
    ket_ends=ket_ends@entry=0, left=left@entry=0x0, skipping=skipping@entry=0, honour_dollar=honour_dollar@entry=1, resetok_p=resetok_p@entry=0x0) at expand.c:4353
#5  0x0000560dd320eaaa in expand_cstring (string=<optimized out>) at expand.c:7574
#6  0x0000560dd3218815 in expand_string (string=<optimized out>) at expand.c:7585
#7  0x0000560dd3242900 in rewrite_one (s=<optimized out>, flag=128, whole=whole@entry=0x0, add_header=0, name=0x560dd32b5dc2 "original-recipient", rewrite_rules=<optimized out>) at rewrite.c:192
#8  0x0000560dd32435cc in rewrite_address (s=<optimized out>, s@entry=0x560dd48d7328 "<user>", is_recipient=is_recipient@entry=2, add_header=3542953712, add_header@entry=0, rewrite_rules=0x0, existflags=22029) at rewrite.c:410
#9  0x0000560dd326a392 in verify_address (vaddr=vaddr@entry=0x7fffcef36f10, f=f@entry=0x0, options=2, callout=callout@entry=-1, callout_overall=callout_overall@entry=-1, callout_connect=callout_connect@entry=-1, se_mailfrom=se_mailfrom@entry=0x0, 
    pm_mailfrom=pm_mailfrom@entry=0x0, routed=routed@entry=0x0) at verify.c:1660
#10 0x0000560dd31f1af3 in acl_verify (where=<optimized out>, addr=<optimized out>, arg=<optimized out>, user_msgptr=<optimized out>, log_msgptr=<optimized out>, basic_errno=<optimized out>) at acl.c:2049
#11 0x0000560dd31f34b3 in acl_check_internal (where=<optimized out>, addr=<optimized out>, s=<optimized out>, user_msgptr=<optimized out>, log_msgptr=<optimized out>) at acl.c:3706
#12 0x0000560dd31f5cef in acl_check (where=<optimized out>, recipient=<optimized out>, s=<optimized out>, user_msgptr=<optimized out>, log_msgptr=<optimized out>) at acl.c:4391
#13 0x0000560dd325440d in smtp_setup_msg () at smtp_in.c:5001
#14 0x0000560dd31f900a in handle_smtp_call (accepted=0x7fffcef37fc0, accept_socket=<optimized out>, listen_socket_count=<optimized out>, listen_sockets=0x560dd48d61f0) at daemon.c:504
#15 daemon_go () at daemon.c:2049
#16 0x0000560dd31ec999 in main (argc=<optimized out>, cargv=<optimized out>) at exim.c:4856



--
Matthew Slowe | Server Infrastructure Officer
IT Infrastructure, Information Services, University of Kent
Room S21, Cornwallis South
Canterbury, Kent, CT2 7NZ, UK
Tel: +44 (0)1227 824265

www.kent.ac.uk/is | @UnikentUnseenIT | @UKCLibraryIt
PGP: https://keybase.io/fooflington