Mercurial > dovecot > original-hg > dovecot-1.2

changeset 4218:a3f9089faadb HEAD

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Fixed a buffer overflow if maildirsize was over 5120 bytes long. Luckily almost no-one used maildir++ quota yet and the bug is highly unlikely to be exploitable anyway.
author Timo Sirainen <tss@iki.fi>
date Sat, 22 Apr 2006 12:34:57 +0300
parents 4d9706112af4
children 53e1edf215e0
files src/plugins/quota/quota-maildir.c
diffstat 1 files changed, 7 insertions(+), 7 deletions(-) [+]
line wrap: on
line diff
--- a/src/plugins/quota/quota-maildir.c	Sat Apr 22 12:18:48 2006 +0300
+++ b/src/plugins/quota/quota-maildir.c	Sat Apr 22 12:34:57 2006 +0300
@@ -319,7 +319,7 @@
 	if (*lines == NULL)
 		return -1;
 
-	/* first line contains the limits. 0 value mean unlimited. */
+	/* first line contains the limits */
 	message_bytes_limit = (uint64_t)-1;
 	message_count_limit = (uint64_t)-1;
 	for (limit = t_strsplit(lines[0], ","); *limit != NULL; limit++) {
@@ -327,12 +327,10 @@
 		if (pos[0] != '\0' && pos[1] == '\0') {
 			switch (pos[0]) {
 			case 'C':
-				if (bytes != 0)
-					message_count_limit = bytes;
+				message_count_limit = bytes;
 				break;
 			case 'S':
-				if (bytes != 0)
-					message_bytes_limit = bytes;
+				message_bytes_limit = bytes;
 				break;
 			}
 		}
@@ -418,8 +416,10 @@
 		return ret;
 	}
 
+	/* @UNSAFE */
 	size = 0;
-	while ((ret = read(fd, buf, sizeof(buf)-1)) != 0) {
+	while (size < sizeof(buf)-1 &&
+	       (ret = read(fd, buf + size, sizeof(buf)-1 - size)) != 0) {
 		if (ret < 0) {
 			if (errno == ESTALE)
 				break;
@@ -428,7 +428,7 @@
 		}
 		size += ret;
 	}
-	if (ret < 0 || size == sizeof(buf)-1) {
+	if (ret < 0 || size >= sizeof(buf)-1) {
 		/* error / recalculation needed. */
 		(void)close(fd);
 		t_pop();