imap4d: redo signal handling

Previously implemented way of signal handling was unsafe because of
the use of unsafe functions in signal handlers. It also allowed for
recursive invocations of MU calls not supposed to handle recursion
(such as mu_mailbox_expunge, for example). This changeset fixes it.

* imap4d/imap4d.c (imap4d_child_signal_setup): Change signal set.
(imap4d_mainloop): Set a jump point for signal handling.
Restore default handling for SIGILL, SIGBUS, SIGFPE, SIGSEGV, SIGSTOP.
(master_jmp): New variable.
(imap4d_master_signal): New function.
(main): Redo signal handling.
* imap4d/imap4d.h (child_jmp): New extern.
(imap4d_enter_critical,imap4d_leave_critical): New protos.
* imap4d/signal.c (imap4d_master_signal): Move to imap4d.c
(imap4d_enter_critical,imap4d_leave_critical): New functions.
(imap4d_child_signal): Rewrite.

* imap4d/append.c: Protect critical sections.
* imap4d/bye.c: Likewise.
* imap4d/close.c: Likewise.
* imap4d/copy.c: Likewise.
* imap4d/delete.c: Likewise.
* imap4d/expunge.c: Likewise.
* imap4d/rename.c: Likewise.
* imap4d/select.c: Likewise.
* imap4d/status.c: Likewise.

* scheme/Makefile.am (sievemod_DATA): Add guimb.scmi.

@@ -125,6 +125,7 @@ imap4d_append0 (mu_mailbox_t mbox, int flags, char *date_time, char *text,
       return 1;
       return 1;
     }
     }
 
 
+  imap4d_enter_critical ();
   rc = mu_mailbox_append_message (mbox, msg);
   rc = mu_mailbox_append_message (mbox, msg);
   if (rc == 0)
   if (rc == 0)
     {
     {
@@ -140,6 +141,7 @@ imap4d_append0 (mu_mailbox_t mbox, int flags, char *date_time, char *text,
       /* FIXME: If not INBOX */
       /* FIXME: If not INBOX */
       quota_update (size);
       quota_update (size);
     }
     }
+  imap4d_leave_critical ();
   
   
   mu_message_destroy (&msg, &tm);
   mu_message_destroy (&msg, &tm);
   return rc;
   return rc;

@@ -36,17 +36,39 @@ imap4d_bye0 (int reason, struct imap4d_command *command)
 {
 {
   int status = EX_SOFTWARE;
   int status = EX_SOFTWARE;
 
 
+  /* Some clients may close the connection immediately after sending
+     LOGOUT.  Do not treat this as error (RFC 2683).
+     To be on the safe side, ignore broken pipes for any command: at
+     this stage it is of no significance. */
+  static int sigtab[] = { SIGPIPE };
+  mu_set_signals (sigpipe, sigtab, MU_ARRAY_SIZE (sigtab));
+  if (setjmp (pipejmp))
+    {
+      mu_set_signals (SIG_IGN, sigtab, MU_ARRAY_SIZE (sigtab));
+      /* Invalidate iostream. This creates a mild memory leak, as the
+	 stream is not destroyed by util_bye, but at least this avoids
+	 endless loop which would happen when mu_stream_flush would
+	 try to flush buffers on an already broken pipe.
+	 FIXME: There must be a special function for that, I guess.
+	 Something like mu_stream_invalidate. */
+      iostream = NULL;
+    }
+  else
+    {
       if (mbox)
       if (mbox)
 	{
 	{
+	  imap4d_enter_critical ();
 	  mu_mailbox_flush (mbox, 0);
 	  mu_mailbox_flush (mbox, 0);
 	  mu_mailbox_close (mbox);
 	  mu_mailbox_close (mbox);
 	  mu_mailbox_destroy (&mbox);
 	  mu_mailbox_destroy (&mbox);
+	  imap4d_leave_critical ();
 	}
 	}
 
 
       switch (reason)
       switch (reason)
 	{
 	{
 	case ERR_NO_MEM:
 	case ERR_NO_MEM:
-      io_untagged_response (RESP_BYE, "Server terminating: no more resources.");
+	  io_untagged_response (RESP_BYE,
+				"Server terminating: no more resources.");
 	  mu_diag_output (MU_DIAG_ERROR, _("not enough memory"));
 	  mu_diag_output (MU_DIAG_ERROR, _("not enough memory"));
 	  break;
 	  break;
 	  
 	  
@@ -66,7 +88,8 @@ imap4d_bye0 (int reason, struct imap4d_command *command)
 	  if (state == STATE_NONAUTH)
 	  if (state == STATE_NONAUTH)
 	    mu_diag_output (MU_DIAG_INFO, _("session timed out for no user"));
 	    mu_diag_output (MU_DIAG_INFO, _("session timed out for no user"));
 	  else
 	  else
-	mu_diag_output (MU_DIAG_INFO, _("session timed out for user: %s"), auth_data->name);
+	    mu_diag_output (MU_DIAG_INFO, _("session timed out for user: %s"),
+			    auth_data->name);
 	  break;
 	  break;
 
 
 	case ERR_NO_OFILE:
 	case ERR_NO_OFILE:
@@ -95,31 +118,20 @@ imap4d_bye0 (int reason, struct imap4d_command *command)
 	  if (state == STATE_NONAUTH)
 	  if (state == STATE_NONAUTH)
 	    mu_diag_output (MU_DIAG_INFO, _("session terminating"));
 	    mu_diag_output (MU_DIAG_INFO, _("session terminating"));
 	  else
 	  else
-	mu_diag_output (MU_DIAG_INFO, _("session terminating for user: %s"), auth_data->name);
+	    mu_diag_output (MU_DIAG_INFO,
+			    _("session terminating for user: %s"),
+			    auth_data->name);
 	  break;
 	  break;
 
 
 	default:
 	default:
 	  io_untagged_response (RESP_BYE, "Quitting (reason unknown)");
 	  io_untagged_response (RESP_BYE, "Quitting (reason unknown)");
-      mu_diag_output (MU_DIAG_ERROR, _("quitting (numeric reason %d)"), reason);
+	  mu_diag_output (MU_DIAG_ERROR, _("quitting (numeric reason %d)"),
+			  reason);
 	  break;
 	  break;
 	}
 	}
       
       
       if (status == EX_OK && command)
       if (status == EX_OK && command)
-    {
-      /* Some clients may close the connection immediately after sending
-	 LOGOUT.  Do not treat this as error (RFC 2683). */
-      static int sigtab[] = { SIGPIPE };
-      mu_set_signals (sigpipe, sigtab, MU_ARRAY_SIZE (sigtab));
-      if (setjmp (pipejmp) == 0)
 	io_completion_response (command, RESP_OK, "Completed");
 	io_completion_response (command, RESP_OK, "Completed");
-      else
-	/* Invalidate iostream. This creates a mild memory leak, as the
-	   stream is not destroyed by util_bye, but at least this avoids
-	   endless loop which would happen when mu_stream_flush would
-	   try to flush buffers on an already broken pipe.
-	   FIXME: There must be a special function for that, I guess.
-	   Something like mu_stream_invalidate. */
-	iostream = NULL;
     }
     }
   
   
   util_bye ();
   util_bye ();

@@ -30,7 +30,9 @@ imap4d_close0 (struct imap4d_command *command, imap4d_tokbuf_t tok,
   mu_mailbox_get_flags (mbox, &flags);
   mu_mailbox_get_flags (mbox, &flags);
   if (flags & MU_STREAM_WRITE)
   if (flags & MU_STREAM_WRITE)
     {
     {
+      imap4d_enter_critical ();
       status = mu_mailbox_flush (mbox, expunge);
       status = mu_mailbox_flush (mbox, expunge);
+      imap4d_leave_critical ();
       if (status)
       if (status)
 	{
 	{
 	  mu_diag_funcall (MU_DIAG_ERROR, "mu_mailbox_flush", NULL, status);
 	  mu_diag_funcall (MU_DIAG_ERROR, "mu_mailbox_flush", NULL, status);
@@ -40,7 +42,9 @@ imap4d_close0 (struct imap4d_command *command, imap4d_tokbuf_t tok,
   
   
   /* No messages are removed, and no error is given, if the mailbox is
   /* No messages are removed, and no error is given, if the mailbox is
      selected by an EXAMINE command or is otherwise selected read-only.  */
      selected by an EXAMINE command or is otherwise selected read-only.  */
+  imap4d_enter_critical ();
   status = mu_mailbox_close (mbox);
   status = mu_mailbox_close (mbox);
+  imap4d_leave_critical ();
   if (status)
   if (status)
     {
     {
       mu_diag_funcall (MU_DIAG_ERROR, "mu_mailbox_close", NULL, status);
       mu_diag_funcall (MU_DIAG_ERROR, "mu_mailbox_close", NULL, status);

@@ -119,7 +119,9 @@ try_copy (mu_mailbox_t dst, mu_mailbox_t src, size_t n, size_t *set)
 	      return RESP_BAD;
 	      return RESP_BAD;
 	    }
 	    }
 
 
+	  imap4d_enter_critical ();
 	  status = mu_mailbox_append_message (dst, msg);
 	  status = mu_mailbox_append_message (dst, msg);
+	  imap4d_leave_critical ();
 	  if (status)
 	  if (status)
 	    {
 	    {
 	      mu_diag_funcall (MU_DIAG_ERROR, "mu_mailbox_append_message",
 	      mu_diag_funcall (MU_DIAG_ERROR, "mu_mailbox_append_message",
@@ -186,7 +188,9 @@ safe_copy (mu_mailbox_t dst, mu_mailbox_t src, size_t n, size_t *set,
 	    }
 	    }
 	}
 	}
 
 
+      imap4d_enter_critical ();
       status = mu_mailbox_flush (dst, 1);
       status = mu_mailbox_flush (dst, 1);
+      imap4d_leave_critical ();
       if (status)
       if (status)
 	{
 	{
 	  mu_url_t url = NULL;
 	  mu_url_t url = NULL;

@@ -56,7 +56,9 @@ imap4d_delete (struct imap4d_command *command, imap4d_tokbuf_t tok)
   rc = mu_mailbox_create (&tmpbox, name);
   rc = mu_mailbox_create (&tmpbox, name);
   if (rc == 0)
   if (rc == 0)
     {
     {
+      imap4d_enter_critical ();
       rc = mu_mailbox_remove (tmpbox);
       rc = mu_mailbox_remove (tmpbox);
+      imap4d_leave_critical ();
       mu_mailbox_destroy (&tmpbox);
       mu_mailbox_destroy (&tmpbox);
       if (rc)
       if (rc)
 	mu_diag_funcall (MU_DIAG_ERROR, "mu_mailbox_remove", name, rc);
 	mu_diag_funcall (MU_DIAG_ERROR, "mu_mailbox_remove", name, rc);

@@ -36,8 +36,10 @@ imap4d_expunge (struct imap4d_command *command, imap4d_tokbuf_t tok)
   if (imap4d_tokbuf_argc (tok) != 2)
   if (imap4d_tokbuf_argc (tok) != 2)
     return io_completion_response (command, RESP_BAD, "Invalid arguments");
     return io_completion_response (command, RESP_BAD, "Invalid arguments");
 
 
+  imap4d_enter_critical ();
   /* FIXME: check for errors.  */
   /* FIXME: check for errors.  */
   mu_mailbox_expunge (mbox);
   mu_mailbox_expunge (mbox);
+  imap4d_leave_critical ();
   
   
   imap4d_sync_invalidate ();
   imap4d_sync_invalidate ();
   imap4d_sync ();
   imap4d_sync ();

@@ -385,11 +385,12 @@ get_client_address (int fd, struct sockaddr_in *pcs)
   return 0;
   return 0;
 }
 }
 
 
+
 void
 void
 imap4d_child_signal_setup (RETSIGTYPE (*handler) (int signo))
 imap4d_child_signal_setup (RETSIGTYPE (*handler) (int signo))
 {
 {
-  static int sigtab[] = { SIGILL, SIGBUS, SIGFPE, SIGSEGV, SIGSTOP, SIGPIPE,
-			  SIGABRT, SIGINT, SIGQUIT, SIGTERM, SIGHUP, SIGALRM };
+  static int sigtab[] = { SIGPIPE, SIGABRT, SIGINT, SIGQUIT,
+			  SIGTERM, SIGHUP, SIGALRM };
   mu_set_signals (handler, sigtab, MU_ARRAY_SIZE (sigtab));
   mu_set_signals (handler, sigtab, MU_ARRAY_SIZE (sigtab));
 }
 }
 
 
@@ -399,8 +400,40 @@ imap4d_mainloop (int ifd, int ofd)
   imap4d_tokbuf_t tokp;
   imap4d_tokbuf_t tokp;
   char *text;
   char *text;
   int debug_mode = isatty (ifd);
   int debug_mode = isatty (ifd);
+  int signo;
 
 
+  if ((signo = setjmp (child_jmp)))
+    {
+      mu_diag_output (MU_DIAG_CRIT, _("got signal `%s'"), strsignal (signo));
+      switch (signo)
+	{
+	case SIGTERM:
+	case SIGHUP:
+	  signo = ERR_TERMINATE;
+	  break;
+      
+	case SIGALRM:
+	  signo = ERR_TIMEOUT;
+	  break;
+      
+	case SIGPIPE:
+	  signo = ERR_NO_OFILE;
+	  break;
+      
+	default:
+	  signo = ERR_SIGNAL;
+	}
+      imap4d_bye (signo);
+    }
+  else
+    {
+      /* Restore default handling for these signals: */
+      static int defsigtab[] = { SIGILL, SIGBUS, SIGFPE, SIGSEGV, SIGSTOP };
+      mu_set_signals (SIG_DFL, defsigtab, MU_ARRAY_SIZE (defsigtab));
+      /* Set child-specific signal handlers */
       imap4d_child_signal_setup (imap4d_child_signal);
       imap4d_child_signal_setup (imap4d_child_signal);
+    }
+  
   io_setio (ifd, ofd);
   io_setio (ifd, ofd);
 
 
   if (imap4d_preauth_setup (ifd) == 0)
   if (imap4d_preauth_setup (ifd) == 0)
@@ -484,6 +517,17 @@ imap4d_check_home_dir (const char *dir, uid_t uid, gid_t gid)
   return 0;
   return 0;
 }
 }
 
 
+
+jmp_buf master_jmp;
+
+RETSIGTYPE
+imap4d_master_signal (int signo)
+{
+  longjmp (master_jmp, signo);
+}
+
+
+
 int
 int
 main (int argc, char **argv)
 main (int argc, char **argv)
 {
 {
@@ -578,6 +622,27 @@ main (int argc, char **argv)
     }
     }
 
 
   /* Set the signal handlers.  */
   /* Set the signal handlers.  */
+  if ((status = setjmp (master_jmp)))
+    {
+      int code;
+      mu_diag_output (MU_DIAG_CRIT, _("MASTER: exiting on signal (%s)"),
+		      strsignal (status));
+      switch (status)
+	{
+	case SIGTERM:
+	case SIGHUP:
+	case SIGQUIT:
+	case SIGINT:
+	  code = EX_OK;
+	  break;
+	  
+	default:
+	  code = EX_SOFTWARE;
+	  break;
+	}
+      
+      exit (code); 
+    }
   mu_set_signals (imap4d_master_signal, sigtab, MU_ARRAY_SIZE (sigtab));
   mu_set_signals (imap4d_master_signal, sigtab, MU_ARRAY_SIZE (sigtab));
 
 
   mu_stdstream_strerr_setup (mu_log_syslog ?
   mu_stdstream_strerr_setup (mu_log_syslog ?

@@ -202,6 +202,7 @@ extern int imap4d_transcript;
 extern mu_list_t imap4d_id_list;
 extern mu_list_t imap4d_id_list;
 extern int imap4d_argc;                 
 extern int imap4d_argc;                 
 extern char **imap4d_argv;
 extern char **imap4d_argv;
+extern jmp_buf child_jmp;
 
 
 /* Input functions */
 /* Input functions */
 extern mu_stream_t iostream;
 extern mu_stream_t iostream;
@@ -334,6 +335,9 @@ extern RETSIGTYPE imap4d_master_signal (int);
 extern RETSIGTYPE imap4d_child_signal (int);
 extern RETSIGTYPE imap4d_child_signal (int);
 extern int imap4d_bye (int);
 extern int imap4d_bye (int);
 extern int imap4d_bye0 (int reason, struct imap4d_command *command);
 extern int imap4d_bye0 (int reason, struct imap4d_command *command);
+void imap4d_enter_critical (void);
+void imap4d_leave_critical (void);
+
 
 
 /* Namespace functions */
 /* Namespace functions */
 extern mu_list_t namespace[NS_MAX];
 extern mu_list_t namespace[NS_MAX];

@@ -182,12 +182,17 @@ imap4d_rename (struct imap4d_command *command, imap4d_tokbuf_t tok)
 	      if (mu_mailbox_get_message (inbox, no, &message) == 0)
 	      if (mu_mailbox_get_message (inbox, no, &message) == 0)
 		{
 		{
 		  mu_attribute_t attr = NULL;
 		  mu_attribute_t attr = NULL;
+
+		  imap4d_enter_critical ();
 		  mu_mailbox_append_message (newmbox, message);
 		  mu_mailbox_append_message (newmbox, message);
+		  imap4d_leave_critical ();
 		  mu_message_get_attribute (message, &attr);
 		  mu_message_get_attribute (message, &attr);
 		  mu_attribute_set_deleted (attr);
 		  mu_attribute_set_deleted (attr);
 		}
 		}
 	    }
 	    }
+	  imap4d_enter_critical ();
 	  mu_mailbox_expunge (inbox);
 	  mu_mailbox_expunge (inbox);
+	  imap4d_leave_critical ();
 	  mu_mailbox_close (inbox);
 	  mu_mailbox_close (inbox);
 	  mu_mailbox_destroy (&inbox);
 	  mu_mailbox_destroy (&inbox);
 	}
 	}

@@ -46,8 +46,10 @@ imap4d_select0 (struct imap4d_command *command, const char *mboxname,
      currently selected mailbox without doing an expunge.  */
      currently selected mailbox without doing an expunge.  */
   if (mbox)
   if (mbox)
     {
     {
+      imap4d_enter_critical ();
       mu_mailbox_sync (mbox);
       mu_mailbox_sync (mbox);
       mu_mailbox_close (mbox);
       mu_mailbox_close (mbox);
+      imap4d_leave_critical ();
       mu_mailbox_destroy (&mbox);
       mu_mailbox_destroy (&mbox);
       /* Destroy the old uid table.  */
       /* Destroy the old uid table.  */
       imap4d_sync ();
       imap4d_sync ();

@@ -15,57 +15,34 @@
    You should have received a copy of the GNU General Public License
    You should have received a copy of the GNU General Public License
    along with GNU Mailutils.  If not, see <http://www.gnu.org/licenses/>. */
    along with GNU Mailutils.  If not, see <http://www.gnu.org/licenses/>. */
 
 
-#define __USE_MISC
 #include "imap4d.h"
 #include "imap4d.h"
 
 
-/* Default signal handler to call the imap4d_bye() function */
+jmp_buf child_jmp;
+static int __critical_section;
+static int __got_signal;
 
 
-RETSIGTYPE
-imap4d_master_signal (int signo)
+void
+imap4d_enter_critical ()
 {
 {
-  int code;
-
-  mu_diag_output (MU_DIAG_CRIT, _("MASTER: exiting on signal (%s)"),
-		  strsignal (signo));
-  switch (signo)
-    {
-    case SIGTERM:
-    case SIGHUP:
-    case SIGQUIT:
-    case SIGINT:
-      code = EX_OK;
-      break;
-
-    default:
-      code = EX_SOFTWARE;
-      break;
-    }
+  __critical_section = 1;
+  if (__got_signal)
+    __critical_section++;
+}
 
 
-  exit (code); 
+void
+imap4d_leave_critical ()
+{
+  if (__got_signal && __critical_section != 2)
+    longjmp (child_jmp, __got_signal);
+  __critical_section = 0;
 }
 }
 
 
 RETSIGTYPE
 RETSIGTYPE
 imap4d_child_signal (int signo)
 imap4d_child_signal (int signo)
 {
 {
   imap4d_child_signal_setup (SIG_IGN);
   imap4d_child_signal_setup (SIG_IGN);
-  mu_diag_output (MU_DIAG_CRIT, _("got signal `%s'"), strsignal (signo));
-  switch (signo)
-    {
-    case SIGTERM:
-    case SIGHUP:
-      signo = ERR_TERMINATE;
-      break;
-      
-    case SIGALRM:
-      signo = ERR_TIMEOUT;
-      break;
-      
-    case SIGPIPE:
-      signo = ERR_NO_OFILE;
-      break;
-      
-    default:
-      signo = ERR_SIGNAL;
-    }
-  imap4d_bye (signo);
+  if (__critical_section)
+    __got_signal = signo;
+  else
+    longjmp (child_jmp, signo);
 }
 }

@@ -88,7 +88,9 @@ imap4d_status (struct imap4d_command *command, imap4d_tokbuf_t tok)
 
 
   /* We may be opening the current mailbox, so make sure the attributes are
   /* We may be opening the current mailbox, so make sure the attributes are
      preserved */
      preserved */
+  imap4d_enter_critical ();
   mu_mailbox_sync (mbox);
   mu_mailbox_sync (mbox);
+  imap4d_leave_critical ();
   
   
   status = mu_mailbox_create_default (&smbox, mailbox_name);
   status = mu_mailbox_create_default (&smbox, mailbox_name);
   if (status == 0)
   if (status == 0)

@@ -56,5 +56,6 @@ sievemod_DATA=\
 EXTRA_DIST=\
 EXTRA_DIST=\
  $(sievemod_DATA)\
  $(sievemod_DATA)\
  sieve-core.scm\
  sieve-core.scm\
- sieve2scm.scmi
+ sieve2scm.scmi\
+ guimb.scmi