lib-mail: Fix out-of-bounds read when parsing an invalid email address

The included unit test doesn't fail, but running it with valgrind shows
"Invalid read of size 1" error.

Broken in d6737a17a27402e7a262f7ba8a2ed588d576f23c

Discovered by Aleksandar Nikolic of Cisco Talos

diff --git a/src/lib-mail/message-address.c b/src/lib-mail/message-address.c
index 01f80be6b077b42a1cc77e88ad68fb188632a0d1..d426a16510a303b84536935aaff45895ec5df556 100644 (file)
--- a/src/lib-mail/message-address.c
+++ b/src/lib-mail/message-address.c
@@ -222,7 +222,8 @@ static int parse_addr_spec(struct message_address_parser_context *ctx)
                /* end of input or parsing local-part failed */
                ctx->addr.invalid_syntax = TRUE;
        }
-       if (ret != 0 && *ctx->parser.data == '@') {
+       if (ret != 0 && ctx->parser.data != ctx->parser.end &&
+           *ctx->parser.data == '@') {
                ret2 = parse_domain(ctx);
                if (ret2 <= 0)
                        ret = ret2;

diff --git a/src/lib-mail/test-message-address.c b/src/lib-mail/test-message-address.c
index 898ed43d184b5fff92525c34f5360ead20120c13..a33917ddcdd08af98fbb4d67553800fd87a173e8 100644 (file)
--- a/src/lib-mail/test-message-address.c
+++ b/src/lib-mail/test-message-address.c
@@ -198,6 +198,16 @@ static void test_message_address(void)
                { "<@>", "", "<INVALID_ROUTE:MISSING_MAILBOX@MISSING_DOMAIN>",
                  { NULL, NULL, NULL, "", "", TRUE },
                  { NULL, NULL, "INVALID_ROUTE", "MISSING_MAILBOX", "MISSING_DOMAIN", TRUE }, 0 },
+
+               /* Test against a out-of-bounds read bug - keep these two tests
+                  together in this same order: */
+               { "aaaa@", "<aaaa>", "<aaaa@MISSING_DOMAIN>",
+                 { NULL, NULL, NULL, "aaaa", "", TRUE },
+                 { NULL, NULL, NULL, "aaaa", "MISSING_DOMAIN", TRUE }, 0 },
+               { "a(aa", "", "<MISSING_MAILBOX@MISSING_DOMAIN>",
+                 { NULL, NULL, NULL, "", "", TRUE },
+                 { NULL, NULL, NULL, "MISSING_MAILBOX", "MISSING_DOMAIN", TRUE },
+                 TEST_MESSAGE_ADDRESS_FLAG_SKIP_LIST },
        };
        static struct message_address group_prefix = {
                NULL, NULL, NULL, "group", NULL, FALSE