dovecot-2.2: pop3: pop3-commands - harden integer parsers agains...
dovecot at dovecot.org
dovecot at dovecot.org
Wed Jul 2 15:23:26 UTC 2014
details: http://hg.dovecot.org/dovecot-2.2/rev/2ed2ab04b63d
changeset: 17563:2ed2ab04b63d
user: Phil Carmody <phil at dovecot.fi>
date: Wed Jul 02 18:21:24 2014 +0300
description:
pop3: pop3-commands - harden integer parsers against integer overflow
In get_msgnum(), the invalid input "4772185884" (2^32*10/9) would be
parsed as being valid.
In get_size(), the invalid input "204963823041217240178" (2^64*10/9)
would be parsed as being valid.
We have helpers now, so use them.
Signed-off-by: Phil Carmody <phil at dovecot.fi>
diffstat:
src/pop3/pop3-commands.c | 20 ++++++--------------
1 files changed, 6 insertions(+), 14 deletions(-)
diffs (59 lines):
diff -r 2051de7285c4 -r 2ed2ab04b63d src/pop3/pop3-commands.c
--- a/src/pop3/pop3-commands.c Wed Jul 02 18:21:24 2014 +0300
+++ b/src/pop3/pop3-commands.c Wed Jul 02 18:21:24 2014 +0300
@@ -28,24 +28,20 @@
static const char *get_msgnum(struct client *client, const char *args,
unsigned int *msgnum)
{
- unsigned int num, last_num;
+ unsigned int num;
- num = 0;
- while (*args != '\0' && *args != ' ') {
+ if (*args != '\0' && *args != ' ') {
if (*args < '0' || *args > '9') {
client_send_line(client,
"-ERR Invalid message number: %s", args);
return NULL;
}
- last_num = num;
- num = num*10 + (*args - '0');
- if (num < last_num) {
+ if (str_parse_uint(args, &num, &args) < 0) {
client_send_line(client,
"-ERR Message number too large: %s", args);
return NULL;
}
- args++;
}
if (num == 0 || num > client->messages_count) {
@@ -72,24 +68,20 @@
static const char *get_size(struct client *client, const char *args,
uoff_t *size)
{
- uoff_t num, last_num;
+ uoff_t num;
- num = 0;
- while (*args != '\0' && *args != ' ') {
+ if (*args != '\0' && *args != ' ') {
if (*args < '0' || *args > '9') {
client_send_line(client, "-ERR Invalid size: %s",
args);
return NULL;
}
- last_num = num;
- num = num*10 + (*args - '0');
- if (num < last_num) {
+ if (str_parse_uoff(args, &num, &args) < 0) {
client_send_line(client, "-ERR Size too large: %s",
args);
return NULL;
}
- args++;
}
while (*args == ' ') args++;
More information about the dovecot-cvs
mailing list