From: Timo Sirainen Date: Fri, 10 May 2019 16:24:51 +0000 (+0300) Subject: lib-imap: Don't accept strings with NULs X-Git-Tag: 2.3.8~253 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=999bac1c6a4d318c560fee10736b37b6bd07142c;p=thirdparty%2Fdovecot%2Fcore.git lib-imap: Don't accept strings with NULs IMAP doesn't allow NULs except in binary literals. We'll still allow them in regular literals as well, but just not in strings. This fixes a bug with unescaping a string with NULs: str_unescape() could have been called for memory that points outside the allocated string, causing heap corruption. This could cause crashes or theoretically even result in remote code execution exploit. Found by Nick Roessler and Rafi Rubin --- diff --git a/src/lib-imap/imap-parser.c b/src/lib-imap/imap-parser.c index dddf551899..f41668d7a5 100644 --- a/src/lib-imap/imap-parser.c +++ b/src/lib-imap/imap-parser.c @@ -363,6 +363,12 @@ static bool imap_parser_read_string(struct imap_parser *parser, break; } + if (data[i] == '\0') { + parser->error = IMAP_PARSE_ERROR_BAD_SYNTAX; + parser->error_msg = "NULs not allowed in strings"; + return FALSE; + } + if (data[i] == '\\') { if (i+1 == data_size) { /* known data ends with '\' - leave it to