dovecot-2.2: lib: uri-util - hardern uri_parse_dec_octet() again...
dovecot at dovecot.org
dovecot at dovecot.org
Wed Jul 2 15:23:26 UTC 2014
details: http://hg.dovecot.org/dovecot-2.2/rev/439bba739c49
changeset: 17561:439bba739c49
user: Phil Carmody <phil at dovecot.fi>
date: Wed Jul 02 18:21:24 2014 +0300
description:
lib: uri-util - hardern uri_parse_dec_octet() against overflow
Invalid input 284 (2^8*10/9) is incorrectly parsed as valid.
28 * 10 + 4 = 284 == 28 (mod 2^8), so the wrap detection fails.
Signed-off-by: Phil Carmody <phil at dovecot.fi>
diffstat:
src/lib/uri-util.c | 6 ++----
1 files changed, 2 insertions(+), 4 deletions(-)
diffs (24 lines):
diff -r a39ccb12c14f -r 439bba739c49 src/lib/uri-util.c
--- a/src/lib/uri-util.c Wed Jul 02 18:21:24 2014 +0300
+++ b/src/lib/uri-util.c Wed Jul 02 18:21:24 2014 +0300
@@ -258,7 +258,7 @@
uri_parse_dec_octet(struct uri_parser *parser, string_t *literal,
uint8_t *octet_r)
{
- uint8_t octet = 0;
+ unsigned int octet = 0;
int count = 0;
/* RFC 3986:
@@ -271,10 +271,8 @@
*/
while (parser->cur < parser->end && i_isdigit(*parser->cur)) {
- uint8_t prev = octet;
-
octet = octet * 10 + (parser->cur[0] - '0');
- if (octet < prev)
+ if (octet > 255)
return -1;
if (literal != NULL)
More information about the dovecot-cvs
mailing list