From: Wietse Venema Date: Mon, 11 Dec 2006 05:00:00 +0000 (-0500) Subject: postfix-2.3.5 X-Git-Tag: v2.3.5^0 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6144e048374afe08bb7a492e33fc468217119e3b;p=thirdparty%2Fpostfix.git postfix-2.3.5 --- diff --git a/postfix/HISTORY b/postfix/HISTORY index 9d8872889..3f2ecad6d 100644 --- a/postfix/HISTORY +++ b/postfix/HISTORY @@ -12845,3 +12845,20 @@ Apologies for any names omitted. Cleanup: when smtp_generic_maps is turned on, don't parse MIME structures in the message body. Victor Duchovni. File: smtp/smtp_proto.c. + +20061210 + + Robustness: low-cost re-entrancy guard that allows daemons + to call msg_fatal() etc. from a signal handler, without + risking memory corruption, or deadlock on Redhat Linux. + This works provided that the signal handler never returns. + In that special case we need not guarantee after-the-fact + consistency of the interrupted process. File: util/msg_output.c. + + Robustness: replace exit() calls by _exit(). File: util/msg.c, + bounce/bounce_cleanup.c. + + Cleanup: document under what conditions these protections + work, with REENTRANCY sections in the relevant man pages. + Files: util/vbuf.c. util/msg.c, util/msg_output.c. + diff --git a/postfix/html/bounce.5.html b/postfix/html/bounce.5.html index 7d5ebac31..e6c23320c 100644 --- a/postfix/html/bounce.5.html +++ b/postfix/html/bounce.5.html @@ -81,7 +81,7 @@ BOUNCE(5) BOUNCE(5) I'm sorry to have to inform you that your message could not be delivered to one or more recipients. It's attached below. - For further assistance, please send mail to <postmaster> + For further assistance, please send mail to postmaster. If you do so, please include this problem report. You can delete your own text from the attached returned message. diff --git a/postfix/man/man5/bounce.5 b/postfix/man/man5/bounce.5 index ce3d03735..4c6215ab3 100644 --- a/postfix/man/man5/bounce.5 +++ b/postfix/man/man5/bounce.5 @@ -91,7 +91,7 @@ This is the mail system at host $myhostname. I'm sorry to have to inform you that your message could not be delivered to one or more recipients. It's attached below. -For further assistance, please send mail to +For further assistance, please send mail to postmaster. If you do so, please include this problem report. You can delete your own text from the attached returned message. diff --git a/postfix/proto/bounce b/postfix/proto/bounce index f770a5e33..842cad9b8 100644 --- a/postfix/proto/bounce +++ b/postfix/proto/bounce @@ -81,7 +81,7 @@ # I'm sorry to have to inform you that your message could not # be delivered to one or more recipients. It's attached below. # -# For further assistance, please send mail to +# For further assistance, please send mail to postmaster. # # If you do so, please include this problem report. You can # delete your own text from the attached returned message. diff --git a/postfix/src/bounce/bounce_cleanup.c b/postfix/src/bounce/bounce_cleanup.c index a68850a5b..9fb900bb0 100644 --- a/postfix/src/bounce/bounce_cleanup.c +++ b/postfix/src/bounce/bounce_cleanup.c @@ -129,7 +129,7 @@ static void bounce_cleanup_sig(int sig) */ if (bounce_cleanup_path) (void) unlink(vstring_str(bounce_cleanup_path)); - exit(sig); + _exit(sig); } /* bounce_cleanup_register - register logfile to clean up */ diff --git a/postfix/src/bounce/bounce_templates.c b/postfix/src/bounce/bounce_templates.c index cf4ce98b1..cdea765d2 100644 --- a/postfix/src/bounce/bounce_templates.c +++ b/postfix/src/bounce/bounce_templates.c @@ -98,7 +98,7 @@ static const char *def_bounce_failure_body[] = { "I'm sorry to have to inform you that your message could not", "be delivered to one or more recipients. It's attached below.", "", - "For further assistance, please send mail to " MAIL_ADDR_POSTMASTER, + "For further assistance, please send mail to " MAIL_ADDR_POSTMASTER ".", "", "If you do so, please include this problem report. You can", "delete your own text from the attached returned message.", @@ -134,7 +134,7 @@ static const char *def_bounce_delay_body[] = { , "It will be retried until it is $maximal_queue_lifetime_days day(s) old.", "", - "For further assistance, please send mail to " MAIL_ADDR_POSTMASTER, + "For further assistance, please send mail to " MAIL_ADDR_POSTMASTER ".", "", "If you do so, please include this problem report. You can", "delete your own text from the attached returned message.", diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h index 2e1d3093c..73a4cff0c 100644 --- a/postfix/src/global/mail_version.h +++ b/postfix/src/global/mail_version.h @@ -20,8 +20,8 @@ * Patches change both the patchlevel and the release date. Snapshots have no * patchlevel; they change the release date only. */ -#define MAIL_RELEASE_DATE "20061208" -#define MAIL_VERSION_NUMBER "2.3.5-RC2" +#define MAIL_RELEASE_DATE "20061211" +#define MAIL_VERSION_NUMBER "2.3.5" #ifdef SNAPSHOT # define MAIL_VERSION_DATE "-" MAIL_RELEASE_DATE diff --git a/postfix/src/util/msg.c b/postfix/src/util/msg.c index 3aac01976..ae7798017 100644 --- a/postfix/src/util/msg.c +++ b/postfix/src/util/msg.c @@ -39,7 +39,7 @@ /* to the standard error stream, but the disposition can be changed /* by the user. See the hints below in the SEE ALSO section. /* -/* msg_info(), msg_warn(), msg_error(), msg_fatal() and msg_panic() +/* msg_info(), msg_warn(), msg_error(), msg_fatal*() and msg_panic() /* produce a one-line record with the program name, a severity code /* (except for msg_info()), and an informative message. The program /* name must have been set by calling one of the msg_XXX_init() @@ -72,6 +72,40 @@ /* msg_verbose is a global flag that can be set to make software /* more verbose about what it is doing. By default the flag is zero. /* By convention, a larger value means more noise. +/* REENTRANCY +/* .ad +/* .fi +/* The msg_info() etc. output routines are protected against +/* ordinary recursive calls and against re-entry by signal +/* handlers. +/* +/* Protection against re-entry by signal handlers is subject +/* to the following limitations: +/* .IP \(bu +/* The signal handlers must never return. In other words, the +/* signal handlers must do one or more of the following: call +/* _exit(), kill the process with a signal, and permanently block +/* the process. +/* .IP \(bu +/* The signal handlers must invoke msg_info() etc. not until +/* after the msg_XXX_init() functions complete initialization, +/* and not until after the first formatted output to a VSTRING +/* or VSTREAM. +/* .IP \(bu +/* Each msg_cleanup() call-back function, and each Postfix or +/* system function invoked by that call-back function, either +/* protects itself against recursive calls and re-entry by a +/* terminating signal handler, or is called exclusively by the +/* msg(3) module. +/* .PP +/* When re-entrancy is detected, the requested output and +/* optional cleanup operations are skipped. Skipping the output +/* operations prevents memory corruption of VSTREAM_ERR data +/* structures, and prevents deadlock on Linux releases that +/* use mutexes within system library routines such as syslog(). +/* This protection exists under the condition that these +/* specific resources are accessed exclusively via the msg_info() +/* etc. functions. /* SEE ALSO /* msg_output(3) specify diagnostics disposition /* msg_stdio(3) direct diagnostics to standard I/O stream @@ -118,14 +152,23 @@ int msg_verbose = 0; /* - * Private state. The msg_exiting flag prevents us from recursively - * reporting an error. + * Private state. */ static MSG_CLEANUP_FN msg_cleanup_fn = 0; -static int msg_exiting = 0; static int msg_error_count = 0; static int msg_error_bound = 13; + /* + * The msg_exiting flag prevents us from recursively reporting an error with + * msg_fatal*() or msg_panic(), and provides a first-level safety net for + * optional cleanup actions against signal handler re-entry problems. Note + * that msg_vprintf() implements its own guard against re-entry. + * + * XXX We specify global scope, to discourage the compiler from doing smart + * things. + */ +volatile int msg_exiting = 0; + /* msg_info - report informative message */ void msg_info(const char *fmt,...) @@ -175,7 +218,8 @@ NORETURN msg_fatal(const char *fmt,...) msg_cleanup_fn(); } sleep(1); - exit(1); + /* In case we're running as a signal handler. */ + _exit(1); } /* msg_fatal_status - report error and terminate gracefully */ @@ -192,7 +236,8 @@ NORETURN msg_fatal_status(int status, const char *fmt,...) msg_cleanup_fn(); } sleep(1); - exit(status); + /* In case we're running as a signal handler. */ + _exit(status); } /* msg_panic - report error and dump core */ @@ -208,7 +253,8 @@ NORETURN msg_panic(const char *fmt,...) } sleep(1); abort(); /* Die! */ - exit(1); /* DIE!! */ + /* In case we're running as a signal handler. */ + _exit(1); /* DIE!! */ } /* msg_cleanup - specify cleanup routine */ diff --git a/postfix/src/util/msg_output.c b/postfix/src/util/msg_output.c index 889206bdb..ebef3c6cf 100644 --- a/postfix/src/util/msg_output.c +++ b/postfix/src/util/msg_output.c @@ -40,6 +40,36 @@ /* /* msg_text() copies a pre-formatted text, sanitizes the result, and /* calls the output handlers registered with msg_output(). +/* REENTRANCY +/* .ad +/* .fi +/* The above output routines are protected against ordinary +/* recursive calls and against re-entry by signal +/* handlers, with the following limitations: +/* .IP \(bu +/* The signal handlers must never return. In other words, the +/* signal handlers must do one or more of the following: call +/* _exit(), kill the process with a signal, and permanently +/* block the process. +/* .IP \(bu +/* The signal handlers must call the above output routines not +/* until after msg_output() completes initialization, and not +/* until after the first formatted output to a VSTRING or +/* VSTREAM. +/* .IP \(bu +/* Each msg_output() call-back function, and each Postfix or +/* system function called by that call-back function, either +/* must protect itself against recursive calls and re-entry +/* by a terminating signal handler, or it must be called +/* exclusively by functions in the msg_output(3) module. +/* .PP +/* When re-entrancy is detected, the requested output operation +/* is skipped. This prevents memory corruption of VSTREAM_ERR +/* data structures, and prevents deadlock on Linux releases +/* that use mutexes within system library routines such as +/* syslog(). This protection exists under the condition that +/* these specific resources are accessed exclusively via +/* msg_output() call-back functions. /* LICENSE /* .ad /* .fi @@ -67,6 +97,12 @@ #include #include + /* + * Global scope, to discourage the compiler from doing smart things. + */ +volatile int msg_vprintf_lock; +volatile int msg_text_lock; + /* * Private state. */ @@ -79,6 +115,12 @@ static VSTRING *msg_buffer = 0; void msg_output(MSG_OUTPUT_FN output_fn) { + /* + * Allocate all resources during initialization. + */ + if (msg_buffer == 0) + msg_buffer = vstring_alloc(100); + /* * We're not doing this often, so avoid complexity and allocate memory * for an exact fit. @@ -106,10 +148,13 @@ void msg_printf(int level, const char *format,...) void msg_vprintf(int level, const char *format, va_list ap) { - if (msg_buffer == 0) - msg_buffer = vstring_alloc(100); - vstring_vsprintf(msg_buffer, percentm(format, errno), ap); - msg_text(level, vstring_str(msg_buffer)); + if (msg_vprintf_lock == 0) { + msg_vprintf_lock = 1; + /* OK if terminating signal handler hijacks control before next stmt. */ + vstring_vsprintf(msg_buffer, percentm(format, errno), ap); + msg_text(level, vstring_str(msg_buffer)); + msg_vprintf_lock = 0; + } } /* msg_text - sanitize and log pre-formatted text */ @@ -121,13 +166,17 @@ void msg_text(int level, const char *text) /* * Sanitize the text. Use a private copy if necessary. */ - if (msg_buffer == 0) - msg_buffer = vstring_alloc(100); - if (text != vstring_str(msg_buffer)) - vstring_strcpy(msg_buffer, text); - printable(vstring_str(msg_buffer), '?'); - if (msg_output_fn_count == 0) - msg_vstream_init("unknown", VSTREAM_ERR); - for (i = 0; i < msg_output_fn_count; i++) - msg_output_fn[i] (level, vstring_str(msg_buffer)); + if (msg_text_lock == 0) { + msg_text_lock = 1; + /* OK if terminating signal handler hijacks control before next stmt. */ + if (text != vstring_str(msg_buffer)) + vstring_strcpy(msg_buffer, text); + printable(vstring_str(msg_buffer), '?'); + /* On-the-fly initialization for debugging test programs only. */ + if (msg_output_fn_count == 0) + msg_vstream_init("unknown", VSTREAM_ERR); + for (i = 0; i < msg_output_fn_count; i++) + msg_output_fn[i] (level, vstring_str(msg_buffer)); + msg_text_lock = 0; + } } diff --git a/postfix/src/util/vbuf_print.c b/postfix/src/util/vbuf_print.c index e64b15b2e..8b9878d33 100644 --- a/postfix/src/util/vbuf_print.c +++ b/postfix/src/util/vbuf_print.c @@ -20,6 +20,18 @@ /* In addition, vbuf_print() recognizes the %m format specifier /* and expands it to the error message corresponding to the current /* value of the global \fIerrno\fR variable. +/* REENTRANCY +/* .ad +/* .fi +/* vbuf_print() allocates a static buffer. After completion +/* of the first vbuf_print() call, this buffer is safe for +/* reentrant vbuf_print() calls by (asynchronous) terminating +/* signal handlers or by (synchronous) terminating error +/* handlers. vbuf_print() initialization typically happens +/* upon the first formatted output to a VSTRING or VSTREAM. +/* +/* However, it is up to the caller to ensure that the destination +/* VSTREAM or VSTRING buffer is protected against reentrant usage. /* LICENSE /* .ad /* .fi