200006 2007-11-22 18:21 0000 [patch] mail-filter/procmail (all versions) out of memory crash bug when piping mail through a filter 2008-06-15 10:22:51 0000 1 1 1 Unclassified Gentoo Linux Applications unspecified All Linux RESOLVED FIXED P2 critical --- 1 gwillen@nerdnet.org net-mail@gentoo.org gwillen@nerdnet.org 2007-11-22 18:21:27 0000 When piping mail through a filter, procmail tries to allocate an excessive amount of memory due to a bug. The amount it tries to allocate depends on where its data section gets loaded in memory. On my system it allocates 2GB+, yielding an OUT OF MEMORY crash. Patch is attached. Reproducible: Always Steps to Reproduce: The bug is 100% reproducible on my system, but it depends where the linker/loader put the data section of the executable. But on systems where it appears: 1. Create a procmail recipe containing a filter (a pipe whose output is not delivered, but recaptured by procmail for further processing.) 2. Run procmail -m recipe 3. Type in a test message, or just press ctrl-D for a blank one 4. Wait for procmail to timeout several times. While it's doing this you can use strace to watch it allocating gobs of memory. 5. Procmail will bounce the message (for commandline invocation, it will just whine) with an out of memory error. Actual Results: Procmail dies. Expected Results: Procmail delivers a message. I have found the bug and am attaching a patch for it. It's one character, so it should be pretty easy to verify as correct. (The variable Stdfilled is used several times very obviously as the length of a buffer, and then for a realloc, &Stdfilled is used as the length of the buffer instead. Remove the & and all is well.) I have submitted this patch to bug@procmail.org and procmail-dev@procmail.org, but so far no response. (I haven't given them very long, but there's no reason this can't get fixed in Gentoo before upstream gets around to it -- they haven't released since 2001, so it will take them a while.) gwillen@nerdnet.org 2007-11-22 18:23:12 0000 Created an attachment (id=136693) Patch to fix the bug. The change is only one character, and it should be pretty easy to verify as correct. dertobi123@gentoo.org 2008-06-15 10:22:51 0000 (In reply to comment #1) > Created an attachment (id=136693) [edit] > Patch to fix the bug. > > The change is only one character, and it should be pretty easy to verify as > correct. > This is fixed in procmail-3.22-r9. 136693 2007-11-22 18:23 0000 Patch to fix the bug. procmail.patch text/plain ZGlmZiAtcmMgcHJvY21haWwtMy4yMi9zcmMvcGlwZXMuYyBwcm9jbWFpbC0zLjIyLWZpeGVkL3Ny Yy9waXBlcy5jCioqKiBwcm9jbWFpbC0zLjIyL3NyYy9waXBlcy5jICAgVHVlIFNlcCAxMSAwMDo1 ODo0NCAyMDAxCi0tLSBwcm9jbWFpbC0zLjIyLWZpeGVkL3NyYy9waXBlcy5jICAgICBXZWQgTm92 IDIxIDIzOjUzOjM5IDIwMDcKKioqKioqKioqKioqKioqCioqKiAxOTQsMjAwICoqKioKICAgICAg IG1ha2VibG9jaygmdGVtcCxTdGRmaWxsZWQpOwogICAgICAgdG1lbW1vdmUodGVtcC5wLFN0ZG91 dCxTdGRmaWxsZWQpOwogICAgICAgcmVhZGR5bigmdGVtcCwmU3RkZmlsbGVkLFN0ZGZpbGxlZCti YWNrbGVuKzEpOwohICAgICAgU3Rkb3V0PXJlYWxsb2MoU3Rkb3V0LCZTdGRmaWxsZWQrMSk7CiAg ICAgICB0bWVtbW92ZShTdGRvdXQsdGVtcC5wLFN0ZGZpbGxlZCsxKTsKICAgICAgIGZyZWVibG9j aygmdGVtcCk7CiAgICAgICByZXRTdGRvdXQoU3Rkb3V0LHB3YWl0JiZwaXB3LCFiYWNrYmxvY2sp OwotLS0gMTk0LDIwMCAtLS0tCiAgICAgICBtYWtlYmxvY2soJnRlbXAsU3RkZmlsbGVkKTsKICAg ICAgIHRtZW1tb3ZlKHRlbXAucCxTdGRvdXQsU3RkZmlsbGVkKTsKICAgICAgIHJlYWRkeW4oJnRl bXAsJlN0ZGZpbGxlZCxTdGRmaWxsZWQrYmFja2xlbisxKTsKISAgICAgIFN0ZG91dD1yZWFsbG9j KFN0ZG91dCxTdGRmaWxsZWQrMSk7CiAgICAgICB0bWVtbW92ZShTdGRvdXQsdGVtcC5wLFN0ZGZp bGxlZCsxKTsKICAgICAgIGZyZWVibG9jaygmdGVtcCk7CiAgICAgICByZXRTdGRvdXQoU3Rkb3V0 LHB3YWl0JiZwaXB3LCFiYWNrYmxvY2spOwoK