From: Timo Sirainen Date: Sat, 15 Dec 2018 14:24:42 +0000 (+0200) Subject: lib-mail: ostream-dot - Fix potential assert-crash when parent stream buffer gets... X-Git-Tag: 2.3.5~19 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=3df4e47db28f06c983bfe7197e151d985235d3d3;p=thirdparty%2Fdovecot%2Fcore.git lib-mail: ostream-dot - Fix potential assert-crash when parent stream buffer gets full If max_bytes=1, the (max_bytes-2) calculation brings it to (size_t)-1. This causes too much data to be sent to the parent stream, which then returns a partial write and causes an assert-crash. The final chunk calculation doesn't need the -2 check, because additional bytes aren't inserted at that point. Fixes: Panic: file ostream-dot.c: line 208 (o_stream_dot_sendv): assertion failed: ((size_t)ret == sent + added) --- diff --git a/src/lib-mail/ostream-dot.c b/src/lib-mail/ostream-dot.c index d03b0c97d4..6827cbdc01 100644 --- a/src/lib-mail/ostream-dot.c +++ b/src/lib-mail/ostream-dot.c @@ -104,7 +104,7 @@ o_stream_dot_sendv(struct ostream_private *stream, p = data; pend = CONST_PTR_OFFSET(data, size); - for (; p < pend && (size_t)(p-data) < (max_bytes-2); p++) { + for (; p < pend && (size_t)(p-data)+2 < max_bytes; p++) { char add = 0; switch (dstream->state) { @@ -183,8 +183,8 @@ o_stream_dot_sendv(struct ostream_private *stream, if (max_bytes == 0) break; - chunk = ((size_t)(p-data) >= (max_bytes-2) ? - max_bytes - 2 : (size_t)(p - data)); + chunk = ((size_t)(p-data) >= max_bytes ? + max_bytes : (size_t)(p - data)); if (chunk > 0) { iovn.iov_base = data; iovn.iov_len = chunk;