]> git.ipfire.org Git - thirdparty/dovecot/core.git/commitdiff
projects / thirdparty / dovecot / core.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 2ec6f2f)
lib-smtp: smtp-command-parser - Fix read past buffer limit while parsing UTF-8 character.
authorStephan Bosch <stephan.bosch@open-xchange.com>
Fri, 11 Sep 2020 19:53:06 +0000 (21:53 +0200)
committeraki.tuomi <aki.tuomi@open-xchange.com>
Wed, 23 Sep 2020 11:33:01 +0000 (11:33 +0000)
The buffer limit was specified as (buf->pos - buf->end) rather than (buf->end -
buf->pos). Since at most a valid UTF-8 character can be read beyond the buffer
size, this bug didn't cause noticeable effects, nor does it present an attack
surface.

src/lib-smtp/smtp-command-parser.c patch | blob | blame | history

diff --git a/src/lib-smtp/smtp-command-parser.c b/src/lib-smtp/smtp-command-parser.c
index 3c4860c0a25288dbe522f750ac44103fc64ce290..f60461e8d1421107e094764dc55fab4d28f1b04b 100644 (file)
--- a/src/lib-smtp/smtp-command-parser.c
+++ b/src/lib-smtp/smtp-command-parser.c
@@ -180,7 +180,7 @@ static int smtp_command_parse_parameters(struct smtp_command_parser *parser)
                if (parser->auth_response)
                        ch = *p;
                else {
-                       nch = uni_utf8_get_char_n(p, (size_t)(p - parser->end),
+                       nch = uni_utf8_get_char_n(p, (size_t)(parser->end - p),
                                                  &ch);
                }
                if (nch == 0)
Mirror of https://github.com/dovecot/core.git