Crash if IMAP literal contains data after chunk boundary

RESOLVED WORKSFORME

Status

MailNews Core
Networking: IMAP
--
critical
RESOLVED WORKSFORME
12 years ago
10 years ago

People

(Reporter: Frank Markus Abbühl, Assigned: Bienvenu)

Tracking

({crash})

1.8 Branch
x86
Linux
crash

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: closeme 2008-06-19)

(Reporter)

Description

12 years ago
User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.2) Gecko/Debian-1.5.dfsg+1.5.0.2-3 Firefox/1.5.0.2
Build Identifier: 1.0.7 (20051017)

While testing an IMAP daemon I was just hacking, I noticed Thunderbird would crash when it fetched a certain message. This was due to a bug in my daemon because it sent an additional line feed character (LF) in the fetch response if the last charachter should have been a carriage return (CR). I could reproduce the crashes by inserting an arbitrary character, for example an 'x'.

1 UID FETCH (BODY[]<0.10240>)
* UID FETCH (BODY[]<0> {10240}
<10239 octets>^Mx)

Here is the output from the debug log:

-1245955152[8b33d38]: 89d3720:imap.xxx.org:S-XXXXXXXX:CreateNewLineFromSocket: ngnWppK9tupQIguhqPFnn3255m9U3N/Ej1QPbnmb+OTfxKfVEjQK7m9X5LwyiyDs/L30lxil^Mx)^M
-1245955152[8b33d38]: PARSER: CR/LF fell on chunk boundary.
-1245955152[8b33d38]: 89d3720:imap.xxx.org:S-XXXXXXXX:PARSER:Internal Syntax Error: %s: ngnWppK9tupQIguhqPFnn3255m9U3N/Ej1QPbnmb+OTfxKfVEjQK7m9X5LwyiyDs/L30lxil^Mx)^M
-1245955152[8b33d38]: 89d3720:imap.xxx.org:S-XXXXXXXX:STREAM:CLOSE: Abort Message  Download Stream
-1245955152[8b33d38]: BODYSHELL:  Adding shell to cache.

Note the 'x' before the closing brace at ...il^Mx)^M
^M stands for carriage return.


Reproducible: Always

Steps to Reproduce:
1. Forge any IMAP daemon to send an extra byte.
2. Find or prepare a large message where offset 10240 points between CR and LF.
3. Fetch that message

Actual Results:  
Thunderbird exits (crashes) without error message.

Expected Results:  
Thunderbird should handle this gracefully or even better show an error message.

Instead of crashing, Thunderbird 1.5.0.2 just did not respond any more and consumed a lot of CPU cycles, maybe an endless loop.

Comment 1

12 years ago
you have two competing actual results, one is under expected results, did you recycle part of your bug filing?
Assignee: mscott → bienvenu
Component: General → Networking: IMAP
Keywords: crash
Product: Thunderbird → Core
QA Contact: general → grylchan
Version: unspecified → 1.8 Branch
(Reporter)

Comment 2

12 years ago
Beg your pardon of this was confusing. I used the guided web-form and typed the 1.5.0.2 stuff into the "Additional Information" text box.

Comment 3

12 years ago
Frank, you said:

Thunderbird exits (crashes) without error message.
and then
Thunderbird 1.5.0.2 just did not respond any more

Which one happened?
(Reporter)

Comment 4

12 years ago
Both versions behave differently:
1.0.7   crashes (means: process terminates unexpectedly.)
1.5.0.2 hangs (means: does not accept input, consumes CPU cycles.)
Reporters, does this issue still occur in the latest supported 2.0.0.14 / trunk nightlies?
Whiteboard: closeme 2008-06-19
(Reporter)

Comment 6

10 years ago
I do not have access to the original source code, so I tried to reproduce the behaviour (using inetd and a quick and dirty hack spitting out IMAP responses). 2.0.0.14 seems to work fine.
resolving WORKSFORME based on comment #6.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 10 years ago
Resolution: --- → WORKSFORME
Product: Core → MailNews Core
You need to log in before you can comment on or make changes to this bug.