Mercurial > dovecot > original-hg > dovecot-1.2
changeset 4218:a3f9089faadb HEAD
Fixed a buffer overflow if maildirsize was over 5120 bytes long. Luckily
almost no-one used maildir++ quota yet and the bug is highly unlikely to be
exploitable anyway.
author | Timo Sirainen <tss@iki.fi> |
---|---|
date | Sat, 22 Apr 2006 12:34:57 +0300 |
parents | 4d9706112af4 |
children | 53e1edf215e0 |
files | src/plugins/quota/quota-maildir.c |
diffstat | 1 files changed, 7 insertions(+), 7 deletions(-) [+] |
line wrap: on
line diff
--- a/src/plugins/quota/quota-maildir.c Sat Apr 22 12:18:48 2006 +0300 +++ b/src/plugins/quota/quota-maildir.c Sat Apr 22 12:34:57 2006 +0300 @@ -319,7 +319,7 @@ if (*lines == NULL) return -1; - /* first line contains the limits. 0 value mean unlimited. */ + /* first line contains the limits */ message_bytes_limit = (uint64_t)-1; message_count_limit = (uint64_t)-1; for (limit = t_strsplit(lines[0], ","); *limit != NULL; limit++) { @@ -327,12 +327,10 @@ if (pos[0] != '\0' && pos[1] == '\0') { switch (pos[0]) { case 'C': - if (bytes != 0) - message_count_limit = bytes; + message_count_limit = bytes; break; case 'S': - if (bytes != 0) - message_bytes_limit = bytes; + message_bytes_limit = bytes; break; } } @@ -418,8 +416,10 @@ return ret; } + /* @UNSAFE */ size = 0; - while ((ret = read(fd, buf, sizeof(buf)-1)) != 0) { + while (size < sizeof(buf)-1 && + (ret = read(fd, buf + size, sizeof(buf)-1 - size)) != 0) { if (ret < 0) { if (errno == ESTALE) break; @@ -428,7 +428,7 @@ } size += ret; } - if (ret < 0 || size == sizeof(buf)-1) { + if (ret < 0 || size >= sizeof(buf)-1) { /* error / recalculation needed. */ (void)close(fd); t_pop();