mailbox_cache_size() has a bounds test which is incorrect: see attached.
Solaris/x86 appears to mmap() things right at the top of memory, which means that cacheitembegin + mailbox->cache_size can overflow. Linux/x86 mmap()s things somewhere in the middle of the memory map, so the problem isn't visible there.
make_md5, make_sha1 and sync_server are the only things which appear to call mailbox_cache_size(), so not a huge deal.
-- David Carter Email: [email protected] University Computing Service, Phone: (01223) 334502 New Museums Site, Pembroke Street, Fax: (01223) 334679 Cambridge UK. CB2 3QH. Index: imap/mailbox.c =================================================================== RCS file: /cvs/src/cyrus/imap/mailbox.c,v retrieving revision 1.193 diff -u -d -r1.193 mailbox.c --- imap/mailbox.c 5 May 2009 01:20:02 -0000 1.193 +++ imap/mailbox.c 2 Jul 2009 16:41:23 -0000 @@ -320,8 +320,8 @@ return 0; for (cache_ent = 0; cache_ent < NUM_CACHE_FIELDS; cache_ent++) { cacheitem = CACHE_ITEM_NEXT(cacheitem); - if (cacheitem < cacheitembegin || - cacheitem > cacheitembegin + mailbox->cache_size) { + if ((cacheitem < cacheitembegin) || + (cacheitem > mailbox->cache_base + mailbox->cache_size)) { return 0; /* clearly bogus */ } }
