Mercurial > dovecot > core-2.2
changeset 23015:ae4659f289a9
lib-imap: Don't accept strings with NULs
IMAP doesn't allow NULs except in binary literals. We'll still allow them
in regular literals as well, but just not in strings.
This fixes a bug with unescaping a string with NULs: str_unescape() could
have been called for memory that points outside the allocated string,
causing heap corruption. This could cause crashes or theoretically even
result in remote code execution exploit.
Found by Nick Roessler and Rafi Rubin
author | Timo Sirainen <timo.sirainen@open-xchange.com> |
---|---|
date | Fri, 10 May 2019 19:24:51 +0300 |
parents | c6116e84af30 |
children | d133ed304c89 |
files | src/lib-imap/imap-parser.c |
diffstat | 1 files changed, 6 insertions(+), 0 deletions(-) [+] |
line wrap: on
line diff
--- a/src/lib-imap/imap-parser.c Mon May 27 18:25:38 2019 +0300 +++ b/src/lib-imap/imap-parser.c Fri May 10 19:24:51 2019 +0300 @@ -350,6 +350,12 @@ break; } + if (data[i] == '\0') { + parser->error = IMAP_PARSE_ERROR_BAD_SYNTAX; + parser->error_msg = "NULs not allowed in strings"; + return FALSE; + } + if (data[i] == '\\') { if (i+1 == data_size) { /* known data ends with '\' - leave it to