From: Baptiste Daroussin <bapt@FreeBSD.org>
Date: Mon, 6 Feb 2023 08:37:32 +0000 (+0100)
Subject: get_preppedhdrs_from_map: fix null terminations issues
X-Git-Tag: RELEASE_1_4_0b1~238
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=be59e894d3edf97b437e7409a0cf48f5f08e72d0;p=thirdparty%2Fmlmmj.git

get_preppedhdrs_from_map: fix null terminations issues

Null terminate the returned string
mmap is not null terminated, pass the len to ensure the lookup is done
based on a length determined manner
---

diff --git a/ChangeLog b/ChangeLog
index d83016c2..0ebd4877 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,5 @@
+1.4.0-a3
+ o Fix a potential crash with mail without separator between headers and body
 1.4.0-a2
  o Fix a crash with forged probe emails
  o mlmmj-send does not need anymore absolute path
diff --git a/include/mail-functions.h b/include/mail-functions.h
index 2c17c77e..f01dd0e7 100644
--- a/include/mail-functions.h
+++ b/include/mail-functions.h
@@ -35,7 +35,7 @@ int write_rcpt_to(int sockfd, const char *rcpt_addr);
 int write_custom_line(int sockfd, const char *line);
 int write_mailbody_from_map(int sockfd, char *mailmap, size_t mailsize,
 			    const char *tohdr);
-char *get_preppedhdrs_from_map(char *mapstart, size_t *hdrslen);
+char *get_preppedhdrs_from_map(char *mapstart, size_t maplen, size_t *hdrslen);
 char *get_prepped_mailbody_from_map(char *mapstart, size_t size,
 				    size_t *bodylen);
 int write_replyto(int sockfd, const char *replyaddr);
diff --git a/src/mail-functions.c b/src/mail-functions.c
index ee279362..a8b1a102 100644
--- a/src/mail-functions.c
+++ b/src/mail-functions.c
@@ -118,13 +118,13 @@ int write_mailbody_from_map(int sockfd, char *mapstart, size_t size,
 	return 0;
 }
 
-char *get_preppedhdrs_from_map(char *mapstart, size_t *hlen)
+char *get_preppedhdrs_from_map(char *mapstart, size_t maplen, size_t *hlen)
 {
 	char *cur, *next, *endhdrs, *retstr, *r;
 	const char newlinebuf[] = "\r\n";
 	size_t hdrlen, n = 0;
 
-	endhdrs = strstr(mapstart, "\n\n");
+	endhdrs = strnstr(mapstart, "\n\n", maplen);
 	if(endhdrs == NULL)
 		return NULL; /* The map doesn't map a file with a mail */
 
@@ -134,7 +134,7 @@ char *get_preppedhdrs_from_map(char *mapstart, size_t *hlen)
 		if(*next == '\n')
 			n++;
 
-	retstr = xmalloc(hdrlen + n);
+	retstr = xmalloc(hdrlen + n + 1);
 	*hlen = hdrlen + n;	
 	r = retstr;	
 
@@ -147,6 +147,7 @@ char *get_preppedhdrs_from_map(char *mapstart, size_t *hlen)
 			cur = next + 1;
 		}
 	}
+	retstr[*hlen] = '\0';
 
 	return retstr;
 }
diff --git a/src/mlmmj-send.c b/src/mlmmj-send.c
index d5458a5b..89de6881 100644
--- a/src/mlmmj-send.c
+++ b/src/mlmmj-send.c
@@ -606,7 +606,7 @@ int main(int argc, char **argv)
 	mail.size = st.st_size;
 
 	if(mail.inmem) {
-		mail.hdrs = get_preppedhdrs_from_map(mail.map, &hdrslen);
+		mail.hdrs = get_preppedhdrs_from_map(mail.map, mail.size, &hdrslen);
 		if(mail.hdrs == NULL) {
 			log_error(LOG_ARGS, "Could not prepare headers");
 			exit(EXIT_FAILURE);
diff --git a/tests/mlmmj.c b/tests/mlmmj.c
index fb7e42e9..a04b30df 100644
--- a/tests/mlmmj.c
+++ b/tests/mlmmj.c
@@ -125,6 +125,7 @@ ATF_TC_WITHOUT_HEAD(controls);
 ATF_TC_WITHOUT_HEAD(incindexfile);
 ATF_TC_WITHOUT_HEAD(log_oper);
 ATF_TC_WITHOUT_HEAD(get_preppedhdrs_from_map);
+ATF_TC_WITHOUT_HEAD(get_preppedhdrs_from_map_1);
 
 #ifndef NELEM
 #define NELEM(array)    (sizeof(array) / sizeof((array)[0]))
@@ -1876,6 +1877,7 @@ ATF_TC_BODY(log_oper, tc)
 ATF_TC_BODY(get_preppedhdrs_from_map, tc)
 {
 	struct stat st;
+	char *hdr;
 	FILE *f = fopen("./mailfile", "w+");
 
 	fprintf(f, "head1: plop\nhead2\n\nbody\n");
@@ -1887,8 +1889,29 @@ ATF_TC_BODY(get_preppedhdrs_from_map, tc)
 	char *map = mmap(0, st.st_size, PROT_READ, MAP_SHARED, fd, 0);
 	ATF_REQUIRE(map != NULL);
 	size_t len = 0;
-	ATF_REQUIRE(get_preppedhdrs_from_map(map, &len) != NULL);
+	ATF_REQUIRE((hdr = get_preppedhdrs_from_map(map, st.st_size, &len)) != NULL);
 	ATF_REQUIRE_EQ(len, 20);
+	ATF_REQUIRE(strncmp(hdr, "head1: plop\r\nhead2\r\n", len) == 0);
+	ATF_REQUIRE_STREQ(hdr, "head1: plop\r\nhead2\r\n");
+	munmap(map, st.st_size);
+	close(fd);
+}
+
+ATF_TC_BODY(get_preppedhdrs_from_map_1, tc)
+{
+	struct stat st;
+	FILE *f = fopen("./mailfile", "w+");
+
+	fprintf(f, "head1: plop\nhead2\nbody\n");
+	fclose(f);
+
+	stat("./mailfile", &st);
+	int fd = open("./mailfile", O_RDONLY);
+	ATF_REQUIRE(fd != -1);
+	char *map = mmap(0, st.st_size, PROT_READ, MAP_SHARED, fd, 0);
+	ATF_REQUIRE(map != NULL);
+	size_t len = 0;
+	ATF_REQUIRE(get_preppedhdrs_from_map(map, st.st_size, &len) == NULL);
 	munmap(map, st.st_size);
 	close(fd);
 }
@@ -1959,6 +1982,7 @@ ATF_TP_ADD_TCS(tp)
 	ATF_TP_ADD_TC(tp, incindexfile);
 	ATF_TP_ADD_TC(tp, log_oper);
 	ATF_TP_ADD_TC(tp, get_preppedhdrs_from_map);
+	ATF_TP_ADD_TC(tp, get_preppedhdrs_from_map_1);
 
 	return (atf_no_error());
 }