lib-imap: Don't accept strings with NULs

IMAP doesn't allow NULs except in binary literals. We'll still allow them
in regular literals as well, but just not in strings.

This fixes a bug with unescaping a string with NULs: str_unescape() could
have been called for memory that points outside the allocated string,
causing heap corruption. This could cause crashes or theoretically even
result in remote code execution exploit.

Found by Nick Roessler and Rafi Rubin

diff --git a/src/lib-imap/imap-parser.c b/src/lib-imap/imap-parser.c
index 05eaf7af00fff1e9181a2a546c1675ac36364717..cf2ffd9de6b9d7938170df153add06f65708e954 100644 (file)
--- a/src/lib-imap/imap-parser.c
+++ b/src/lib-imap/imap-parser.c
@@ -350,6 +350,11 @@ static int imap_parser_read_string(struct imap_parser *parser,
                        break;
                }
 
+               if (data[i] == '\0') {
+                       parser->error = "NULs not allowed in strings";
+                       return FALSE;
+               }
+
                if (data[i] == '\\') {
                        if (i+1 == data_size) {
                                /* known data ends with '\' - leave it to