Mercurial > dovecot > core-2.2
changeset 22883:f578acb188d6
lib-mail: Fix out-of-bounds read when parsing an invalid email address
The included unit test doesn't fail, but running it with valgrind shows
"Invalid read of size 1" error.
Broken in d6737a17a27402e7a262f7ba8a2ed588d576f23c
Discovered by Aleksandar Nikolic of Cisco Talos
| author | Timo Sirainen <timo.sirainen@dovecot.fi> |
|---|---|
| date | Fri, 22 Dec 2017 18:36:55 +0200 |
| parents | a04585ef5299 |
| children | 77577228fd8f |
| files | src/lib-mail/message-address.c src/lib-mail/test-message-address.c |
| diffstat | 2 files changed, 12 insertions(+), 1 deletions(-) [+] |
line wrap: on
line diff
--- a/src/lib-mail/message-address.c Fri Dec 22 18:36:09 2017 +0200 +++ b/src/lib-mail/message-address.c Fri Dec 22 18:36:55 2017 +0200 @@ -221,7 +221,8 @@ /* end of input or parsing local-part failed */ ctx->addr.invalid_syntax = TRUE; } - if (ret != 0 && *ctx->parser.data == '@') { + if (ret != 0 && ctx->parser.data != ctx->parser.end && + *ctx->parser.data == '@') { ret2 = parse_domain(ctx); if (ret2 <= 0) ret = ret2;
--- a/src/lib-mail/test-message-address.c Fri Dec 22 18:36:09 2017 +0200 +++ b/src/lib-mail/test-message-address.c Fri Dec 22 18:36:55 2017 +0200 @@ -198,6 +198,16 @@ { "<@>", "", "<INVALID_ROUTE:MISSING_MAILBOX@MISSING_DOMAIN>", { NULL, NULL, NULL, "", "", TRUE }, { NULL, NULL, "INVALID_ROUTE", "MISSING_MAILBOX", "MISSING_DOMAIN", TRUE }, 0 }, + + /* Test against a out-of-bounds read bug - keep these two tests + together in this same order: */ + { "aaaa@", "<aaaa>", "<aaaa@MISSING_DOMAIN>", + { NULL, NULL, NULL, "aaaa", "", TRUE }, + { NULL, NULL, NULL, "aaaa", "MISSING_DOMAIN", TRUE }, 0 }, + { "a(aa", "", "<MISSING_MAILBOX@MISSING_DOMAIN>", + { NULL, NULL, NULL, "", "", TRUE }, + { NULL, NULL, NULL, "MISSING_MAILBOX", "MISSING_DOMAIN", TRUE }, + TEST_MESSAGE_ADDRESS_FLAG_SKIP_LIST }, }; static struct message_address group_prefix = { NULL, NULL, NULL, "group", NULL, FALSE