Crash if IMAP literal contains data after chunk boundary



MailNews Core
Networking: IMAP
12 years ago
10 years ago


(Reporter: Frank Markus Abbühl, Assigned: Bienvenu)



1.8 Branch

Firefox Tracking Flags

(Not tracked)


(Whiteboard: closeme 2008-06-19)



12 years ago
User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv: Gecko/Debian-1.5.dfsg+ Firefox/
Build Identifier: 1.0.7 (20051017)

While testing an IMAP daemon I was just hacking, I noticed Thunderbird would crash when it fetched a certain message. This was due to a bug in my daemon because it sent an additional line feed character (LF) in the fetch response if the last charachter should have been a carriage return (CR). I could reproduce the crashes by inserting an arbitrary character, for example an 'x'.

1 UID FETCH (BODY[]<0.10240>)
* UID FETCH (BODY[]<0> {10240}
<10239 octets>^Mx)

Here is the output from the debug log:

-1245955152[8b33d38]: ngnWppK9tupQIguhqPFnn3255m9U3N/Ej1QPbnmb+OTfxKfVEjQK7m9X5LwyiyDs/L30lxil^Mx)^M
-1245955152[8b33d38]: PARSER: CR/LF fell on chunk boundary.
-1245955152[8b33d38]: Syntax Error: %s: ngnWppK9tupQIguhqPFnn3255m9U3N/Ej1QPbnmb+OTfxKfVEjQK7m9X5LwyiyDs/L30lxil^Mx)^M
-1245955152[8b33d38]: Abort Message  Download Stream
-1245955152[8b33d38]: BODYSHELL:  Adding shell to cache.

Note the 'x' before the closing brace at^Mx)^M
^M stands for carriage return.

Reproducible: Always

Steps to Reproduce:
1. Forge any IMAP daemon to send an extra byte.
2. Find or prepare a large message where offset 10240 points between CR and LF.
3. Fetch that message

Actual Results:  
Thunderbird exits (crashes) without error message.

Expected Results:  
Thunderbird should handle this gracefully or even better show an error message.

Instead of crashing, Thunderbird just did not respond any more and consumed a lot of CPU cycles, maybe an endless loop.

Comment 1

12 years ago
you have two competing actual results, one is under expected results, did you recycle part of your bug filing?
Assignee: mscott → bienvenu
Component: General → Networking: IMAP
Keywords: crash
Product: Thunderbird → Core
QA Contact: general → grylchan
Version: unspecified → 1.8 Branch

Comment 2

12 years ago
Beg your pardon of this was confusing. I used the guided web-form and typed the stuff into the "Additional Information" text box.

Comment 3

12 years ago
Frank, you said:

Thunderbird exits (crashes) without error message.
and then
Thunderbird just did not respond any more

Which one happened?

Comment 4

12 years ago
Both versions behave differently:
1.0.7   crashes (means: process terminates unexpectedly.) hangs (means: does not accept input, consumes CPU cycles.)
Reporters, does this issue still occur in the latest supported / trunk nightlies?
Whiteboard: closeme 2008-06-19

Comment 6

10 years ago
I do not have access to the original source code, so I tried to reproduce the behaviour (using inetd and a quick and dirty hack spitting out IMAP responses). seems to work fine.
resolving WORKSFORME based on comment #6.
Last Resolved: 10 years ago
Resolution: --- → WORKSFORME
Product: Core → MailNews Core
You need to log in before you can comment on or make changes to this bug.