You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
38 lines
1.2 KiB
38 lines
1.2 KiB
4 years ago
|
From 58ffd3e8a02e54fc98b6be78e02b0511ee9263eb Mon Sep 17 00:00:00 2001
|
||
|
From: Timo Sirainen <timo.sirainen@open-xchange.com>
|
||
|
Date: Fri, 10 May 2019 19:24:51 +0300
|
||
|
Subject: [PATCH 1/2] lib-imap: Don't accept strings with NULs
|
||
|
|
||
|
IMAP doesn't allow NULs except in binary literals. We'll still allow them
|
||
|
in regular literals as well, but just not in strings.
|
||
|
|
||
|
This fixes a bug with unescaping a string with NULs: str_unescape() could
|
||
|
have been called for memory that points outside the allocated string,
|
||
|
causing heap corruption. This could cause crashes or theoretically even
|
||
|
result in remote code execution exploit.
|
||
|
|
||
|
Found by Nick Roessler and Rafi Rubin
|
||
|
---
|
||
|
src/lib-imap/imap-parser.c | 6 ++++++
|
||
|
1 file changed, 6 insertions(+)
|
||
|
|
||
|
diff --git a/src/lib-imap/imap-parser.c b/src/lib-imap/imap-parser.c
|
||
|
index dddf55189..f41668d7a 100644
|
||
|
--- a/src/lib-imap/imap-parser.c
|
||
|
+++ b/src/lib-imap/imap-parser.c
|
||
|
@@ -363,6 +363,11 @@ static bool imap_parser_read_string(struct imap_parser *parser,
|
||
|
break;
|
||
|
}
|
||
|
|
||
|
+ if (data[i] == '\0') {
|
||
|
+ parser->error = "NULs not allowed in strings";
|
||
|
+ return FALSE;
|
||
|
+ }
|
||
|
+
|
||
|
if (data[i] == '\\') {
|
||
|
if (i+1 == data_size) {
|
||
|
/* known data ends with '\' - leave it to
|
||
|
--
|
||
|
2.11.0
|
||
|
|