lib-mail: Fix out-of-bounds read when parsing an invalid email address

author Timo Sirainen <timo.sirainen@dovecot.fi>

Fri, 22 Dec 2017 16:36:55 +0000 (18:36 +0200)

committer Timo Sirainen <timo.sirainen@dovecot.fi>

Tue, 6 Mar 2018 09:51:23 +0000 (11:51 +0200)
author Timo Sirainen <timo.sirainen@dovecot.fi>
Fri, 22 Dec 2017 16:36:55 +0000 (18:36 +0200)
committer Timo Sirainen <timo.sirainen@dovecot.fi>
Tue, 6 Mar 2018 09:51:23 +0000 (11:51 +0200)
diff --git a/src/lib-mail/message-address.c b/src/lib-mail/message-address.c

index c1ffe72f561ead4435d627c9f1dbf42a9db5612e..bee91427a132a2fdc5747e5a967d9ae19cc749ea 100644 (file)
--- a/src/lib-mail/message-address.c
+++ b/src/lib-mail/message-address.c
@@ -222,7 +222,8 @@ static int parse_addr_spec(struct message_address_parser_context *ctx)
                 /* end of input or parsing local-part failed */
                 ctx->addr.invalid_syntax = TRUE;
         }
-       if (ret != 0 && *ctx->parser.data == '@') {
+       if (ret != 0 && ctx->parser.data != ctx->parser.end &&
+           *ctx->parser.data == '@') {
                 ret2 = parse_domain(ctx);
                 if (ret2 <= 0)
                         ret = ret2;
diff --git a/src/lib-mail/test-message-address.c b/src/lib-mail/test-message-address.c

index 7f5103c1f1879e89be2d71c0771e98dfe488eaa2..e0057fd9db17ce8304357f0726eab6ed50453986 100644 (file)
--- a/src/lib-mail/test-message-address.c
+++ b/src/lib-mail/test-message-address.c
@@ -198,6 +198,16 @@ static void test_message_address(void)
                 { "<@>", "", "<INVALID_ROUTE:MISSING_MAILBOX@MISSING_DOMAIN>",
                   { NULL, NULL, NULL, "", "", TRUE },
                   { NULL, NULL, "INVALID_ROUTE", "MISSING_MAILBOX", "MISSING_DOMAIN", TRUE }, 0 },
+
+               /* Test against a out-of-bounds read bug - keep these two tests
+                  together in this same order: */
+               { "aaaa@", "<aaaa>", "<aaaa@MISSING_DOMAIN>",
+                 { NULL, NULL, NULL, "aaaa", "", TRUE },
+                 { NULL, NULL, NULL, "aaaa", "MISSING_DOMAIN", TRUE }, 0 },
+               { "a(aa", "", "<MISSING_MAILBOX@MISSING_DOMAIN>",
+                 { NULL, NULL, NULL, "", "", TRUE },
+                 { NULL, NULL, NULL, "MISSING_MAILBOX", "MISSING_DOMAIN", TRUE },
+                 TEST_MESSAGE_ADDRESS_FLAG_SKIP_LIST },
         };
         static struct message_address group_prefix = {
                 NULL, NULL, NULL, "group", NULL, FALSE
author	Timo Sirainen <timo.sirainen@dovecot.fi>
	Fri, 22 Dec 2017 16:36:55 +0000 (18:36 +0200)
committer	Timo Sirainen <timo.sirainen@dovecot.fi>
	Tue, 6 Mar 2018 09:51:23 +0000 (11:51 +0200)
src/lib-mail/message-address.c		patch \| blob \| blame \| history
src/lib-mail/test-message-address.c		patch \| blob \| blame \| history