You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

38 lines
1.2 KiB

From 58ffd3e8a02e54fc98b6be78e02b0511ee9263eb Mon Sep 17 00:00:00 2001
From: Timo Sirainen <timo.sirainen@open-xchange.com>
Date: Fri, 10 May 2019 19:24:51 +0300
Subject: [PATCH 1/2] lib-imap: Don't accept strings with NULs
IMAP doesn't allow NULs except in binary literals. We'll still allow them
in regular literals as well, but just not in strings.
This fixes a bug with unescaping a string with NULs: str_unescape() could
have been called for memory that points outside the allocated string,
causing heap corruption. This could cause crashes or theoretically even
result in remote code execution exploit.
Found by Nick Roessler and Rafi Rubin
---
src/lib-imap/imap-parser.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/src/lib-imap/imap-parser.c b/src/lib-imap/imap-parser.c
index dddf55189..f41668d7a 100644
--- a/src/lib-imap/imap-parser.c
+++ b/src/lib-imap/imap-parser.c
@@ -363,6 +363,11 @@ static bool imap_parser_read_string(struct imap_parser *parser,
break;
}
+ if (data[i] == '\0') {
+ parser->error = "NULs not allowed in strings";
+ return FALSE;
+ }
+
if (data[i] == '\\') {
if (i+1 == data_size) {
/* known data ends with '\' - leave it to
--
2.11.0