File 0003-lib-mail-Fix-out-of-bounds-read-when-parsi... of Package dovecot22.17731

Overview Repositories Revisions Requests Users Attributes Meta

File 0003-lib-mail-Fix-out-of-bounds-read-when-parsing-an-inva.patch of Package dovecot22.17731

From b72d864b8c34cb21076214c0b28101baec530141 Mon Sep 17 00:00:00 2001
From: Timo Sirainen <timo.sirainen@dovecot.fi>
Date: Fri, 22 Dec 2017 18:36:55 +0200
Subject: [PATCH 3/7] lib-mail: Fix out-of-bounds read when parsing an invalid
 email address

The included unit test doesn't fail, but running it with valgrind shows
"Invalid read of size 1" error.

Broken in d6737a17a27402e7a262f7ba8a2ed588d576f23c

Discovered by Aleksandar Nikolic of Cisco Talos
---
 src/lib-mail/message-address.c      |  3 ++-
 src/lib-mail/test-message-address.c | 10 ++++++++++
 2 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/src/lib-mail/message-address.c b/src/lib-mail/message-address.c
index beb81ee..787a26e 100644
--- a/src/lib-mail/message-address.c
+++ b/src/lib-mail/message-address.c
@@ -221,7 +221,8 @@ static int parse_addr_spec(struct message_address_parser_context *ctx)
 		/* end of input or parsing local-part failed */
 		ctx->addr.invalid_syntax = TRUE;
 	}
-	if (ret != 0 && *ctx->parser.data == '@') {
+	if (ret != 0 && ctx->parser.data != ctx->parser.end &&
+	    *ctx->parser.data == '@') {
 		ret2 = parse_domain(ctx);
 		if (ret2 <= 0)
 			ret = ret2;
diff --git a/src/lib-mail/test-message-address.c b/src/lib-mail/test-message-address.c
index f6a8766..c963aa6 100644
--- a/src/lib-mail/test-message-address.c
+++ b/src/lib-mail/test-message-address.c
@@ -198,6 +198,16 @@ static void test_message_address(void)
 		{ "<@>", "", "<INVALID_ROUTE:MISSING_MAILBOX@MISSING_DOMAIN>",
 		  { NULL, NULL, NULL, "", "", TRUE },
 		  { NULL, NULL, "INVALID_ROUTE", "MISSING_MAILBOX", "MISSING_DOMAIN", TRUE }, 0 },
+
+		/* Test against a out-of-bounds read bug - keep these two tests
+		   together in this same order: */
+		{ "aaaa@", "<aaaa>", "<aaaa@MISSING_DOMAIN>",
+		  { NULL, NULL, NULL, "aaaa", "", TRUE },
+		  { NULL, NULL, NULL, "aaaa", "MISSING_DOMAIN", TRUE }, 0 },
+		{ "a(aa", "", "<MISSING_MAILBOX@MISSING_DOMAIN>",
+		  { NULL, NULL, NULL, "", "", TRUE },
+		  { NULL, NULL, NULL, "MISSING_MAILBOX", "MISSING_DOMAIN", TRUE },
+		  TEST_MESSAGE_ADDRESS_FLAG_SKIP_LIST },
 	};
 	static struct message_address group_prefix = {
 		NULL, NULL, NULL, "group", NULL, FALSE
-- 
2.1.4

Places

File 0003-lib-mail-Fix-out-of-bounds-read-when-parsing-an-inva.patch of Package dovecot22.17731

Places