Mercurial > dovecot > core-2.2

changeset 23015:ae4659f289a9

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
lib-imap: Don't accept strings with NULs IMAP doesn't allow NULs except in binary literals. We'll still allow them in regular literals as well, but just not in strings. This fixes a bug with unescaping a string with NULs: str_unescape() could have been called for memory that points outside the allocated string, causing heap corruption. This could cause crashes or theoretically even result in remote code execution exploit. Found by Nick Roessler and Rafi Rubin
author Timo Sirainen <timo.sirainen@open-xchange.com>
date Fri, 10 May 2019 19:24:51 +0300
parents c6116e84af30
children d133ed304c89
files src/lib-imap/imap-parser.c
diffstat 1 files changed, 6 insertions(+), 0 deletions(-) [+]
line wrap: on
line diff
--- a/src/lib-imap/imap-parser.c	Mon May 27 18:25:38 2019 +0300
+++ b/src/lib-imap/imap-parser.c	Fri May 10 19:24:51 2019 +0300
@@ -350,6 +350,12 @@
 			break;
 		}
 
+		if (data[i] == '\0') {
+			parser->error = IMAP_PARSE_ERROR_BAD_SYNTAX;
+			parser->error_msg = "NULs not allowed in strings";
+			return FALSE;
+		}
+
 		if (data[i] == '\\') {
 			if (i+1 == data_size) {
 				/* known data ends with '\' - leave it to