From: Timo Sirainen Date: Fri, 22 Dec 2017 16:36:55 +0000 (+0200) Subject: lib-mail: Fix out-of-bounds read when parsing an invalid email address X-Git-Tag: 2.3.0.1~13 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=35eb25cdadfb64294d645bcb2305d63386ac594b;p=thirdparty%2Fdovecot%2Fcore.git lib-mail: Fix out-of-bounds read when parsing an invalid email address The included unit test doesn't fail, but running it with valgrind shows "Invalid read of size 1" error. Broken in d6737a17a27402e7a262f7ba8a2ed588d576f23c Discovered by Aleksandar Nikolic of Cisco Talos --- diff --git a/src/lib-mail/message-address.c b/src/lib-mail/message-address.c index 01f80be6b0..d426a16510 100644 --- a/src/lib-mail/message-address.c +++ b/src/lib-mail/message-address.c @@ -222,7 +222,8 @@ static int parse_addr_spec(struct message_address_parser_context *ctx) /* end of input or parsing local-part failed */ ctx->addr.invalid_syntax = TRUE; } - if (ret != 0 && *ctx->parser.data == '@') { + if (ret != 0 && ctx->parser.data != ctx->parser.end && + *ctx->parser.data == '@') { ret2 = parse_domain(ctx); if (ret2 <= 0) ret = ret2; diff --git a/src/lib-mail/test-message-address.c b/src/lib-mail/test-message-address.c index 898ed43d18..a33917ddcd 100644 --- a/src/lib-mail/test-message-address.c +++ b/src/lib-mail/test-message-address.c @@ -198,6 +198,16 @@ static void test_message_address(void) { "<@>", "", "", { NULL, NULL, NULL, "", "", TRUE }, { NULL, NULL, "INVALID_ROUTE", "MISSING_MAILBOX", "MISSING_DOMAIN", TRUE }, 0 }, + + /* Test against a out-of-bounds read bug - keep these two tests + together in this same order: */ + { "aaaa@", "", "", + { NULL, NULL, NULL, "aaaa", "", TRUE }, + { NULL, NULL, NULL, "aaaa", "MISSING_DOMAIN", TRUE }, 0 }, + { "a(aa", "", "", + { NULL, NULL, NULL, "", "", TRUE }, + { NULL, NULL, NULL, "MISSING_MAILBOX", "MISSING_DOMAIN", TRUE }, + TEST_MESSAGE_ADDRESS_FLAG_SKIP_LIST }, }; static struct message_address group_prefix = { NULL, NULL, NULL, "group", NULL, FALSE