Closed Bug 265007 Opened 20 years ago Closed 20 years ago

Crash over message without Message-ID header when collecting with POP3 [@ PL_HashString]

Categories

(MailNews Core :: Networking: POP, defect)

x86
Linux
defect
Not set
critical

Tracking

(Not tracked)

VERIFIED FIXED

People

(Reporter: mozilla-bugs, Assigned: mcsmurf)

References

()

Details

(Keywords: crash)

Crash Data

Attachments

(2 files)

User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-GB; rv:1.8a4) Gecko/20040927
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-GB; rv:1.8a4) Gecko/20040927

Crash over message without Message-ID header when collecting with POP3.  The
POP3 connection had completed receiving the RETR data

My MTA replaces invalid headers like this:

Illegal-Object: Syntax error in Message-ID: value found on relay-1.netbauds.net
        Message-ID:     <D785EF15D37563E.71E5F@dkhzcgchuscke@japan.co.jp>
                                                                    ^-illegal e

It created a new header line and indents the bad one so its a continuation of
the new header line.

To get Mozilla to accept the email I manually edited the mailfile on the POP3
server by adding this line below that quoted above:

Message-ID: <D785EF15D37563E.71E5F@dkhzcgchuscke.japan.co.jp>


This is an strace() of the mozilla processes.

[pid  6578] kill(6584, SIGRTMIN <unfinished ...>
[pid  6584] <... nanosleep resumed> 0)  = -1 EINTR (Interrupted system call)
[pid  6578] <... kill resumed> )        = 0
[pid  6584] --- SIGRTMIN (Unknown signal 32) @ 0 (0) ---
[pid  6578] write(44, "From - Tue Oct 19 03:54:17 2004\nX-Account-Key:
account4\nX-Mozilla-Status: 0000\nX-Mozilla-Status2: 00000000\nReceived: from
[83.213.190.244] ([83.213.190.244]:42512 \"HELO 62.232.161.102\"\n\tTLS-CIPHER:
<none> TLS-PEER-CN1: <none>) by relay-1.netbauds.net\n\twith SMTP id
S7654928AbUJOG3X (ORCPT\n\t<rfc822;darryl@darrylmiles.org>); Fri, 15 Oct 2004
07:29:23
+0100\nX-Message-Info:\t931WEC4HAAe9CBJ0lwlCihwZSH4DmjZCRCFdgdFSpSNBPJ7\nReceived:
from signal8steroidmitochondria (D0.43.329.E6) by
mail4273.dkhzcgchuscke@japan.co.jp (Bluewin AG 3.E.7D1)\n        id
429A14CH625FXM8E26D for darryl@darrylmiles.org; Fri, 15 Oct 2004 05:24:04
-0200\nIllegal-Object:\tSyntax error in Message-ID: value found on
relay-1.netbauds.net:\n\tMessage-ID:\t<D785EF15D37563E.71E5F@dkhzcgchuscke@japan.co.jp>\n\t\t\t\t\t\t\t\t
   ^-illegal end of message identification\nReply-To: \"Gregory Rivera\"
<dkhzcgchuscke@japan.co.jp>\nFrom:\t\"Gregory Rivera\"
<dkhzcgchuscke@japan.co.jp>\nTo:\t\"Darryl\" <darryl@darrylmiles.org>\nSubject:
this stock is showing triple-digit earnings grow"..., 4096 <unfinished ...>
[pid  6584] rt_sigprocmask(SIG_SETMASK, [RTMIN],  <unfinished ...>
[pid  6578] <... write resumed> )       = 4096
[pid  6584] <... rt_sigprocmask resumed> NULL, 8) = 0
[pid  6578] write(44, "ions in this featured profile are <=\nbr>\n  based on
sources believed to be reliable but no representation is made <=\nbr>\n  to its
accuracy or completeness. Past performance is not an indicator <b=\nr>\n  of
future results. This report is a paid profile for information purpose=\ns <br>\n
 only and should not be used as the basis for any investment decision. <b=\nr>\n
 The publisher has been compensated ten thousand dollars for the preparat=\nion
\n  <br>\n  of this profile and for continuing coverage of the featured company.
The=\n <br>\n  publisher is not an investment advisor and this profile is not to
be <br=\n>\n  considered investment advice. This information is neither a
solicitation=\n <br>\n  to buy nor an offer to sell securities. Information
herein contains futu=\nre-<br>\n  looking statements that are subject to
significant risks and uncertainti=\nes. \n  <br>\n  There are no shares
presently held and no participation will occur in th=\ne <br>\n  trading of
shares in any profiled company.<br>\n</p>\n</body>\n</html>\n\n\n----0"..., 1043
<unfinished ...>
[pid  6584] gettimeofday( <unfinished ...>
[pid  6578] <... write resumed> )       = 1043
[pid  6584] <... gettimeofday resumed> {1098154457, 202638}, NULL) = 0
[pid  6578] fsync(44 <unfinished ...>
[pid  6584] gettimeofday({1098154457, 202887}, NULL) = 0
[pid  6584] gettimeofday({1098154457, 203139}, NULL) = 0
[pid  6584] rt_sigprocmask(SIG_BLOCK, NULL, [RTMIN], 8) = 0
[pid  6584] rt_sigprocmask(SIG_UNBLOCK, [RTMIN], [RTMIN], 8) = 0
[pid  6584] gettimeofday({1098154457, 203514}, NULL) = 0
[pid  6584] nanosleep({1, 778625000},  <unfinished ...>
[pid  6578] <... fsync resumed> )       = 0
[pid  6578] fsync(44)                   = 0
[pid  6578]
stat64("/data/home/darryl/.mozilla/default/zbnpfwy5.slt/Mail/mail.darrylmiles.org/Inbox.msf",
{st_mode=S_IFREG|0664, st_size=191096, ...}) = 0
[pid  6578] --- SIGSEGV (Segmentation fault) @ 0 (0) ---
[pid  6578] unlink("/data/home/darryl/.mozilla/default/zbnpfwy5.slt/lock") = 0
[pid  6578] rt_sigaction(SIGSEGV, NULL, {0x401004cc, ~[KILL STOP], SA_RESTORER,
0x4071dd48}, 8) = 0
[pid  6578] times({tms_utime=2247, tms_stime=163, tms_cutime=1, tms_cstime=1}) =
6882100
[ LOTS more stuff deleted below ]


Reproducible: Always
Steps to Reproduce:
1.  Using Send/Recv mail on the POP3 account concerned.
2.
3.

Actual Results:  
The mozilla process crashed.  I disabled the debugging screen one time and can't
find an option to re-enable it upon crash.

Expected Results:  
Processed the email without crashing.

I have no core file, it wont generate one even ulimit -c is set.  Maybe the
chdir() value is not where I started it up ?
reporter: please don't paste straces unless asked, they are not stack traces and
have nothing to do with stack traces.

if talkback pops up, please run components/talkback to find a talkback incident
id for your crash.

if you can't get talkback happy and can build, make a build with --enable-debug
then run ./mozilla -g -d gdb

at the gdb prompt, type |run|

when you crash, type |where|

copy the output of where to the bug.
Sorry for the strace output, but "./mozilla -g -d gdb" isn't an obvious choice
for me :)


(Gecko:14962): GLib-GObject-WARNING **: gsignal.c:1893: signal `select_all' is
invalid for instance `0x84a49b8'

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 16384 (LWP 14962)]
0x40099c88 in PL_HashString () from ./libplds4.so
(gdb) where
#0  0x40099c88 in PL_HashString () from ./libplds4.so
#1  0xbfffef58 in ?? ()
#2  0x40099ac6 in PL_HashTableLookup () from ./libplds4.so
#3  0x425c5b31 in NSGetModule ()
   from /usr/local/mozilla/components/liblocalmail.so
#4  0x425c6b9c in NSGetModule ()
   from /usr/local/mozilla/components/liblocalmail.so
#5  0x41c6c64e in nsMsgProtocol::OnDataAvailable(nsIRequest*, nsISupports*,
nsIInputStream*, unsigned, unsigned) () from /usr/local/mozilla/libmsgbaseutil.so
#6  0x40d5627e in NSGetModule () from /usr/local/mozilla/components/libnecko.so
#7  0x40d55fff in NSGetModule () from /usr/local/mozilla/components/libnecko.so
#8  0x40c297f1 in nsInputStreamReadyEvent::EventHandler(PLEvent*) ()
   from /usr/local/mozilla/libxpcom.so
#9  0x40c3eec7 in PL_HandleEvent () from /usr/local/mozilla/libxpcom.so
#10 0x40c3edf4 in PL_ProcessPendingEvents ()
   from /usr/local/mozilla/libxpcom.so
#11 0x40c409a9 in nsEventQueueImpl::NotifyObservers(char const*) ()
   from /usr/local/mozilla/libxpcom.so
#12 0x415155c5 in _IcePaAuthDataEntries ()
   from /usr/local/mozilla/components/libwidget_gtk2.so
#13 0x40514ddf in g_vsnprintf () from /usr/lib/libglib-2.0.so.0
#14 0x404f3b35 in g_get_current_time () from /usr/lib/libglib-2.0.so.0
#15 0x404f4b78 in g_main_context_dispatch () from /usr/lib/libglib-2.0.so.0
#16 0x404f4e8d in g_main_context_dispatch () from /usr/lib/libglib-2.0.so.0
#17 0x404f558f in g_main_loop_run () from /usr/lib/libglib-2.0.so.0
#18 0x4021bf5f in gtk_main () from /usr/lib/libgtk-x11-2.0.so.0
#19 0x415159e6 in _IcePaAuthDataEntries ()
   from /usr/local/mozilla/components/libwidget_gtk2.so
#20 0x4145f304 in fullsoft_copyright ()
   from /usr/local/mozilla/components/libnsappshell.so
#21 0x0804d553 in strcpy ()
#22 0x0804dfc9 in strcpy ()
#23 0x4070c5cd in __libc_start_main () from /lib/libc.so.6
(gdb)
Finally pulled the CVS and built MOZILLA_1_8a4_RELEASE with debugging.

Another important factor to inform you, is that my POP3 server does not
support UIDL command.

While this command is widespread its not mandatory, I do NOT leave my mail
on the server, I always collect and delete at every session.  I would expect
any POP3 client to either not support de-duplication of messages from POP3
mailboxes or to have its own implemented scheme to be able to assign a
unique ID based on some fixed Header information From, Date and maybe an MD5
hash the msg body.

These messages in question are in my mailbox and DO NOT have a Message-ID
header since the Message-ID header was removed by my MTA due to SPAMMERs
using malformed double @ signs in them.

I certainly wouldn't expect any client to crash from seeing any invalid
data or missing headers, some fallback action should be taken, maybe mozilla
itself assign its own message ID to it.

NB: The diskspace calculation is wrong or at least displayed incorrectly, I
presume this is a 64bit kernel and userspace value by now.

Let me know if there is anything else I can do, I can provide you with a POP3
server account, without UIDL support, with a broken message on it.


From my '-g -t gdb' session:

Begin mail message delivery.
GetDiskSpaceAvailable returned: -1624317952 bytes
Incorporate message begin:
Incorporate message complete.

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 16384 (LWP 3327)]
0x400d00c2 in PL_HashString (key=0x0) at plhash.c:526
526         for (s = (const PRUint8*)key; *s; s++)
Current language:  auto; currently c
(gdb) bt
#0  0x400d00c2 in PL_HashString (key=0x0) at plhash.c:526
#1  0x400cfed3 in PL_HashTableLookup (ht=0x8970128, key=0x0) at plhash.c:390
#2  0x43038b8c in nsPop3Protocol::RetrResponse(nsIInputStream*, unsigned) (
    this=0x8b2f540, inputStream=0x88a2e44, length=444)
    at nsPop3Protocol.cpp:3058
#3  0x4303a060 in nsPop3Protocol::ProcessProtocolState(nsIURI*,
nsIInputStream*, unsigned, unsigned) (this=0x8b2f540, url=0x8b092ac,
aInputStream=0x88a2e44,
    sourceOffset=18088, aLength=444) at nsPop3Protocol.cpp:3613
#4  0x4239c019 in nsMsgProtocol::OnDataAvailable(nsIRequest*, nsISupports*,
nsIInputStream*, unsigned, unsigned) (this=0x8b2f540, request=0x8b32070,
    ctxt=0x8b092ac, inStr=0x88a2e44, sourceOffset=18088, count=444)
    at nsMsgProtocol.cpp:325
#5  0x40d85e5c in nsInputStreamPump::OnStateTransfer() (this=0x8b32070)
    at nsInputStreamPump.cpp:435
#6  0x40d85a04 in
nsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream*) (
    this=0x8b32070, stream=0x88a2e44) at nsInputStreamPump.cpp:338
#7  0x40a88d11 in nsInputStreamReadyEvent::EventHandler(PLEvent*) (
    plevent=0x876e474) at nsStreamUtils.cpp:118
#8  0x40aae148 in PL_HandleEvent (self=0x876e474) at plevent.c:692
#9  0x40aadfe9 in PL_ProcessPendingEvents (self=0x8175350) at plevent.c:627
#10 0x40ab13a8 in nsEventQueueImpl::ProcessPendingEvents() (this=0x8175318)
    at nsEventQueue.cpp:391
#11 0x419ee8b8 in event_processor_callback (data=0x8175318, source=6,
    condition=GDK_INPUT_READ) at nsAppShell.cpp:189
#12 0x419ee221 in our_gdk_io_invoke (source=0x42200f20, condition=G_IO_IN,
    data=0x422012e0) at nsAppShell.cpp:74
#13 0x4031f0a6 in g_io_add_watch () from /usr/lib/libglib-1.2.so.0
#14 0x403209ae in g_get_current_time () from /usr/lib/libglib-1.2.so.0
#15 0x40320e89 in g_get_current_time () from /usr/lib/libglib-1.2.so.0
#16 0x40321124 in g_main_run () from /usr/lib/libglib-1.2.so.0
#17 0x4022c27f in gtk_main () from /usr/lib/libgtk-1.2.so.0
#18 0x419eed20 in nsAppShell::Run() (this=0x81af450) at nsAppShell.cpp:320
#19 0x419a2ef9 in nsAppShellService::Run() (this=0x81af1c8)
    at nsAppShellService.cpp:488
#20 0x08064719 in main1 (argc=1, argv=0xbffff794, nativeApp=0x8151d68)
    at nsAppRunner.cpp:1321
#21 0x0806554c in main (argc=1, argv=0xbffff794) at nsAppRunner.cpp:1799
#22 0x4051c5cd in __libc_start_main () from /lib/libc.so.6

(gdb) frame
#2  0x43038b8c in nsPop3Protocol::RetrResponse(nsIInputStream*, unsigned) (
    this=0x8b2f540, inputStream=0x88a2e44, length=444)
    at nsPop3Protocol.cpp:3058
3058                  uidlEntry = (Pop3UidlEntry
*)PL_HashTableLookup(m_pop3ConData->newuidl, info->uidl);
(gdb) p info->uidl
$2 = 0x0
(gdb) p m_pop3ConData->newuidl
$3 = (PLHashTable *) 0x8970128
(gdb) p info->uidl
$4 = 0x0
thank you very much, this is easily fixed based on the stack trace.

if you'd like to follow along, the basic problem is that hash keys are supposed
to be non null.

i've marked in the url field all of the places in this file which don't seem to
check for that constraint before calling PL_HashTableLookup.

You can compare those call sites to the unmarked ones, which do null check the
key param before performing that op. someone should post a patch within 2 days,
if no one does, please bug me on irc.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: crash
Summary: Crash over message without Message-ID header when collecting with POP3 → Crash over message without Message-ID header when collecting with POP3 [@ PL_HashString]
Attached patch Patch (diff -u)Splinter Review
Comment on attachment 165453 [details] [diff] [review]
Patch (diff -uwp 11)

Note: If you want to review my whitespace changes, too, take a look at
Attachment 165452 [details] [diff]
Attachment #165453 - Flags: superreview?(dmose)
Attachment #165453 - Flags: review?(bienvenu)
Attachment #165453 - Flags: review?(bienvenu) → review+
Comment on attachment 165453 [details] [diff] [review]
Patch (diff -uwp 11)

sr=dmose
Attachment #165453 - Flags: superreview?(dmose) → superreview+
mozilla/mailnews/local/src/nsPop3Protocol.cpp 	1.233
Assignee: sspitzer → bugzilla
fixed per previous comment
Status: NEW → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
I have checked out the HEAD and rebuilt and downloaded a message that crashed
stock 1.8a4 only 10 minutes ago.  The HEAD version does not crash with your
patches, many thanks for the fix.
V. per comment
Status: RESOLVED → VERIFIED
Product: MailNews → Core
Product: Core → MailNews Core
Crash Signature: [@ PL_HashString]
You need to log in before you can comment on or make changes to this bug.