lib-imap: Don't accept strings with NULs

IMAP doesn't allow NULs except in binary literals. We'll still allow them
in regular literals as well, but just not in strings.

This fixes a bug with unescaping a string with NULs: str_unescape() could
have been called for memory that points outside the allocated string,
causing heap corruption. This could cause crashes or theoretically even
result in remote code execution exploit.

Found by Nick Roessler and Rafi Rubin

diff --git a/src/lib-imap/imap-parser.c b/src/lib-imap/imap-parser.c
index dddf5518994f8d490d2a29d61d8301df90fd20c6..f41668d7a53e7158bfe26208d7ec5abd15480b16 100644 (file)
--- a/src/lib-imap/imap-parser.c
+++ b/src/lib-imap/imap-parser.c
@@ -363,6 +363,12 @@ static bool imap_parser_read_string(struct imap_parser *parser,
                        break;
                }
 
+               if (data[i] == '\0') {
+                       parser->error = IMAP_PARSE_ERROR_BAD_SYNTAX;
+                       parser->error_msg = "NULs not allowed in strings";
+                       return FALSE;
+               }
+
                if (data[i] == '\\') {
                        if (i+1 == data_size) {
                                /* known data ends with '\' - leave it to