lib-smtp: Reject overly large MAIL FROM and BDAT SIZE parameters

At least events use signed intmax_t for storing the mail size, which
can cause such large numbers to wrap to negative numbers.

diff --git a/src/lib-smtp/smtp-params.c b/src/lib-smtp/smtp-params.c
index 30308dcd45c05aaba6993f1abf0ce17b2a60010e..ab3a0d1c3374649f03d06da3eeb79e679a9be141 100644 (file)
--- a/src/lib-smtp/smtp-params.c
+++ b/src/lib-smtp/smtp-params.c
@@ -473,7 +473,8 @@ smtp_params_mail_parse_size(struct smtp_params_mail_parser *pmparser,
        }
 
        /* size-value ::= 1*20DIGIT */
-       if (str_to_uoff(value, &params->size) < 0) {
+       if (str_to_uoff(value, &params->size) < 0 ||
+           params->size > INTMAX_MAX) {
                pmparser->error = "Unsupported SIZE parameter value";
                pmparser->error_code = SMTP_PARAM_PARSE_ERROR_NOT_SUPPORTED;
                return -1;

diff --git a/src/lib-smtp/smtp-server-cmd-data.c b/src/lib-smtp/smtp-server-cmd-data.c
index 01be8803795264d370ca999fa0c70d74d8e0e4c5..035abe2df004d881d083983eba409064cd17b51a 100644 (file)
--- a/src/lib-smtp/smtp-server-cmd-data.c
+++ b/src/lib-smtp/smtp-server-cmd-data.c
@@ -645,7 +645,8 @@ void smtp_server_cmd_bdat(struct smtp_server_cmd_ctx *cmd,
           end-marker = "LAST"
         */
        argv = t_strsplit(params, " ");
-       if (argv[0] == NULL || str_to_uoff(argv[0], &size) < 0) {
+       if (argv[0] == NULL || str_to_uoff(argv[0], &size) < 0 ||
+           size > INTMAX_MAX) {
                smtp_server_reply(cmd,
                        501, "5.5.4", "Invalid chunk size parameter");
                size = 0;