Mailing List Archive

segfault in smtp.c, first_addr == NULL
I am having some trouble with a listserver running Exim. Exim is
segfaulting. It is crashing here:

if (rc == DEFER && first_addr->basic_errno != ERRNO_AUTHFAIL
&& first_addr->basic_errno != ERRNO_TLSFAILURE)
write_logs(first_addr, host);

because rc==DEFER and first_addr==NULL. I read prepare_addresses and
it appears that prepare_addresses could return NULL if all the
addresses were PENDING_DEFER. I have no idea whether this is supposed
to be possible.

Can anyone help ?

I'm running Debian's exim4-daemon-light 4.89-2+deb9u3 on amd64.
Please find gdb backtrace and exim -d -M output below.

The problem is a nuisance because these are bouncing list mails which
ought to go back to the mailman bounce handler. But, I think because
of the segfault, they end up becoming frozen and generating lots of
postmaster mail.

Thanks for any help.

Ian.

Program received signal SIGSEGV, Segmentation fault.
0x000055b4b0f6a61b in smtp_transport_entry (tblock=0x55b4b2670748, addrlist=0x55b4b2679e28) at smtp.c:4031
4031 smtp.c: No such file or directory.
(gdb) bt
#0 0x000055b4b0f6a61b in smtp_transport_entry (tblock=0x55b4b2670748, addrlist=0x55b4b2679e28) at smtp.c:4031
#1 0x000055b4b0ef0a0c in do_remote_deliveries (fallback=fallback@entry=0) at deliver.c:4655
#2 0x000055b4b0ef5664 in deliver_message (id=0x7ffc41803e72 "1gmJgS-0002OT-QR", forced=<optimized out>, give_up=<optimized out>)
at deliver.c:7008
#3 0x000055b4b0edd661 in main (argc=<optimized out>, cargv=0x7ffc418037f8) at exim.c:4659
(gdb) print first_addr
$1 = (address_item *) 0x0
(gdb) print rc
$2 = 1
(gdb) print addrlist
$3 = (address_item *) 0x55b4b2679e28
(gdb) print *addrlist
$4 = {next = 0x0, parent = 0x0, first = 0x0, dupof = 0x0, start_router = 0x0, router = 0x55b4b266c4f0, transport = 0x55b4b2670748,
host_list = 0x55b4b267f398, host_used = 0x55b4b267f398, fallback_hosts = 0x0, reply = 0x0, retries = 0x0,
address = 0x55b4b2678388 "***@tiscali.it", unique = 0x55b4b2679fc8 "***@tiscali.it",
cc_local_part = 0x55b4b2679ff0 "***", lc_local_part = 0x55b4b267a000 "***", local_part = 0x55b4b267a000 "***",
prefix = 0x0, suffix = 0x0, domain = 0x55b4b2679fe0 "tiscali.it", address_retry_key = 0x55b4b267a020 "R:***@tiscali.it",
domain_retry_key = 0x55b4b267a010 "R:tiscali.it", current_dir = 0x0, home_dir = 0x0,
message = 0x55b4b267f690 "SMTP error from remote mail server after initial connection: 554 cmgw-2.mail.tiscali.it WcEN1z01n2cE3D401 IP: 192.237.175.120, You are not allowed to send mail. Please see https://app.abusix.ai/delis"..., user_message = 0x0,
onetime_parent = 0x0, pipe_expandn = 0x0, return_filename = 0x0, self_hostname = 0x0, shadow_message = 0x0, cipher = 0x0,
ourcert = 0x0, peercert = 0x0, peerdn = 0x0, ocsp = 0, authenticator = 0x0, auth_id = 0x0, auth_sndr = 0x0, dsn_orcpt = 0x0,
dsn_flags = 0, dsn_aware = 0, uid = 4294967295, gid = 4294967295, flags = 33554432, domain_cache = {15}, localpart_cache = {0},
mode = -1, more_errno = 77, basic_errno = 0, child_count = 0, return_file = -1, special_action = 0, transport_return = 2, prop = {
address_data = 0x0, domain_data = 0x0, localpart_data = 0x0, errors_address = 0x0, extra_headers = 0x0, remove_headers = 0x0}}
(gdb) print addrlist.transport_return
$5 = 2
(gdb)

>>>>>>>>>>>>>>>> Remote deliveries >>>>>>>>>>>>>>>>
--------> ***@tiscali.it <--------
search_tidyup called
set_process_info: 19542 delivering 1gmJgS-0002OT-QR: waiting for a remote delivery subprocess to finish
selecting on subprocess pipes
changed uid/gid: remote delivery to ***@tiscali.it with transport=remote_smtp
uid=102 gid=104 pid=19543
auxiliary group list: <none>
set_process_info: 19543 delivering 1gmJgS-0002OT-QR using remote_smtp
T: remote_smtp for ***@tiscali.it
remote_smtp transport entered
***@tiscali.it
hostlist:
etb-3.mail.tiscali.it:-1
etb-3.mail.tiscali.it:-1
etb-3.mail.tiscali.it:-1
etb-3.mail.tiscali.it:-1
imp-5.mail.tiscali.it:-1
checking status of etb-3.mail.tiscali.it
locking /var/spool/exim4/db/retry.lockfile
locked /var/spool/exim4/db/retry.lockfile
EXIM_DBOPEN(/var/spool/exim4/db/retry)
returned from EXIM_DBOPEN
opened hints database /var/spool/exim4/db/retry: flags=O_RDONLY
dbfn_read: key=T:etb-3.mail.tiscali.it:213.205.33.63
dbfn_read: key=T:etb-3.mail.tiscali.it:213.205.33.63:1gmJgS-0002OT-QR
closed hints database and lockfile
no host retry record
no message retry record
etb-3.mail.tiscali.it [213.205.33.63] status = usable
213.205.33.63 in serialize_hosts? no (option unset)
delivering 1gmJgS-0002OT-QR to etb-3.mail.tiscali.it [213.205.33.63] (***@tiscali.it)
set_process_info: 19543 delivering 1gmJgS-0002OT-QR to etb-3.mail.tiscali.it [213.205.33.63] (***@tiscali.it)
Connecting to etb-3.mail.tiscali.it [213.205.33.63]:25 ... 213.205.33.63 in hosts_try_fastopen? no (option unset)
connected
read response data: size=171
SMTP<< 554 cmgw-2.mail.tiscali.it WcEN1z01n2cE3D401 IP: 192.237.175.120, You are not allowed to send mail. Please see https://app.abusix.ai/delist You are listed in Abusix RBL
SMTP>> QUIT
cmd buf flush 6 bytes
SMTP(close)>>
set_process_info: 19543 delivering 1gmJgS-0002OT-QR: just tried etb-3.mail.tiscali.it [213.205.33.63] for ***@tiscali.it: result ?
checking status of etb-3.mail.tiscali.it
locking /var/spool/exim4/db/retry.lockfile
locked /var/spool/exim4/db/retry.lockfile
EXIM_DBOPEN(/var/spool/exim4/db/retry)
returned from EXIM_DBOPEN
opened hints database /var/spool/exim4/db/retry: flags=O_RDONLY
dbfn_read: key=T:etb-3.mail.tiscali.it:213.205.33.61
dbfn_read: key=T:etb-3.mail.tiscali.it:213.205.33.61:1gmJgS-0002OT-QR
closed hints database and lockfile
no host retry record
no message retry record
etb-3.mail.tiscali.it [213.205.33.61] status = usable
213.205.33.61 in serialize_hosts? no (option unset)
delivering 1gmJgS-0002OT-QR to etb-3.mail.tiscali.it [213.205.33.61] (***@tiscali.it)
set_process_info: 19543 delivering 1gmJgS-0002OT-QR to etb-3.mail.tiscali.it [213.205.33.61] (***@tiscali.it)
Connecting to etb-3.mail.tiscali.it [213.205.33.61]:25 ... 213.205.33.61 in hosts_try_fastopen? no (option unset)
connected
read response data: size=171
SMTP<< 554 cmgw-1.mail.tiscali.it WcEe1z00Z2cE3D401 IP: 192.237.175.120, You are not allowed to send mail. Please see https://app.abusix.ai/delist You are listed in Abusix RBL
SMTP>> QUIT
cmd buf flush 6 bytes
SMTP(close)>>
set_process_info: 19543 delivering 1gmJgS-0002OT-QR: just tried etb-3.mail.tiscali.it [213.205.33.61] for ***@tiscali.it: result ?
checking status of etb-3.mail.tiscali.it
locking /var/spool/exim4/db/retry.lockfile
locked /var/spool/exim4/db/retry.lockfile
EXIM_DBOPEN(/var/spool/exim4/db/retry)
returned from EXIM_DBOPEN
opened hints database /var/spool/exim4/db/retry: flags=O_RDONLY
dbfn_read: key=T:etb-3.mail.tiscali.it:213.205.33.62
dbfn_read: key=T:etb-3.mail.tiscali.it:213.205.33.62:1gmJgS-0002OT-QR
closed hints database and lockfile
no host retry record
no message retry record
etb-3.mail.tiscali.it [213.205.33.62] status = usable
213.205.33.62 in serialize_hosts? no (option unset)
delivering 1gmJgS-0002OT-QR to etb-3.mail.tiscali.it [213.205.33.62] (***@tiscali.it)
set_process_info: 19543 delivering 1gmJgS-0002OT-QR to etb-3.mail.tiscali.it [213.205.33.62] (***@tiscali.it)
Connecting to etb-3.mail.tiscali.it [213.205.33.62]:25 ... 213.205.33.62 in hosts_try_fastopen? no (option unset)
connected
read response data: size=171
SMTP<< 554 cmgw-2.mail.tiscali.it WcEs1z01j2cE3D401 IP: 192.237.175.120, You are not allowed to send mail. Please see https://app.abusix.ai/delist You are listed in Abusix RBL
SMTP>> QUIT
cmd buf flush 6 bytes
SMTP(close)>>
set_process_info: 19543 delivering 1gmJgS-0002OT-QR: just tried etb-3.mail.tiscali.it [213.205.33.62] for ***@tiscali.it: result ?
checking status of etb-3.mail.tiscali.it
locking /var/spool/exim4/db/retry.lockfile
locked /var/spool/exim4/db/retry.lockfile
EXIM_DBOPEN(/var/spool/exim4/db/retry)
returned from EXIM_DBOPEN
opened hints database /var/spool/exim4/db/retry: flags=O_RDONLY
dbfn_read: key=T:etb-3.mail.tiscali.it:213.205.33.64
dbfn_read: key=T:etb-3.mail.tiscali.it:213.205.33.64:1gmJgS-0002OT-QR
closed hints database and lockfile
no host retry record
no message retry record
etb-3.mail.tiscali.it [213.205.33.64] status = usable
213.205.33.64 in serialize_hosts? no (option unset)
delivering 1gmJgS-0002OT-QR to etb-3.mail.tiscali.it [213.205.33.64] (***@tiscali.it)
set_process_info: 19543 delivering 1gmJgS-0002OT-QR to etb-3.mail.tiscali.it [213.205.33.64] (***@tiscali.it)
Connecting to etb-3.mail.tiscali.it [213.205.33.64]:25 ... 213.205.33.64 in hosts_try_fastopen? no (option unset)
connected
read response data: size=171
SMTP<< 554 cmgw-2.mail.tiscali.it WcF61z03S2cE3D401 IP: 192.237.175.120, You are not allowed to send mail. Please see https://app.abusix.ai/delist You are listed in Abusix RBL
SMTP>> QUIT
cmd buf flush 6 bytes
SMTP(close)>>
set_process_info: 19543 delivering 1gmJgS-0002OT-QR: just tried etb-3.mail.tiscali.it [213.205.33.64] for ***@tiscali.it: result ?
checking status of imp-5.mail.tiscali.it
locking /var/spool/exim4/db/retry.lockfile
locked /var/spool/exim4/db/retry.lockfile
EXIM_DBOPEN(/var/spool/exim4/db/retry)
returned from EXIM_DBOPEN
opened hints database /var/spool/exim4/db/retry: flags=O_RDONLY
dbfn_read: key=T:imp-5.mail.tiscali.it:213.205.33.244
dbfn_read: key=T:imp-5.mail.tiscali.it:213.205.33.244:1gmJgS-0002OT-QR
closed hints database and lockfile
no host retry record
no message retry record
imp-5.mail.tiscali.it [213.205.33.244] status = usable
213.205.33.244 in serialize_hosts? no (option unset)
delivering 1gmJgS-0002OT-QR to imp-5.mail.tiscali.it [213.205.33.244] (***@tiscali.it)
set_process_info: 19543 delivering 1gmJgS-0002OT-QR to imp-5.mail.tiscali.it [213.205.33.244] (***@tiscali.it)
hosts_max_try limit reached with this host
Connecting to imp-5.mail.tiscali.it [213.205.33.244]:25 ... 213.205.33.244 in hosts_try_fastopen? no (option unset)
connected
selecting on subprocess pipes
read response data: size=33
SMTP<< 421 4.2.1 Service not available
SMTP>> QUIT
cmd buf flush 6 bytes
SMTP(close)>>


--
Ian Jackson <ijackson@chiark.greenend.org.uk> These opinions are my own.

If I emailed you from an address @fyvzl.net or @evade.org.uk, that is
a private address which bypasses my fierce spamfilter.

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: segfault in smtp.c, first_addr == NULL [ In reply to ]
On 31/01/2019 15:47, Ian Jackson via Exim-users wrote:
> I am having some trouble with a listserver running Exim. Exim is
> segfaulting. It is crashing here:
>
> if (rc == DEFER && first_addr->basic_errno != ERRNO_AUTHFAIL
> && first_addr->basic_errno != ERRNO_TLSFAILURE)
> write_logs(first_addr, host);
>
> because rc==DEFER and first_addr==NULL.

(transport/smtp.c about line 5116)

> I read prepare_addresses and
> it appears that prepare_addresses could return NULL if all the
> addresses were PENDING_DEFER.

Any time there was no address in DEFER state, as I read it. Do you
have some reason to pick PENDING_DEFER ?

From the comment just before the loop starting 4702
(looping to handle cutoff_retry; within that, loop over
the host list trying to send the addrlist to each host)
the PENDING_DEFER state is transient within each host iteration,
flagging those addrs being attmpted.

Are you thinking the flagging isn't cleared?

It's annoying we don't see evidence of the crash in the debug
output. I'd expect the parent of the transport process to report
the SISEGV. but we don't see beyond the transport closing a
connection. We can't trust, from that, that the crash occurred
at that time.
It's interesting that the hosts_max_try limit has
just been reached with this last host; that would be reason for
leaving the hosts loop. It's also the first to give 4xx for a banner;
the previous were all 5xx - though I don't see how that could be a
factor.
--
Cheers,
Jeremy

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/