dovecot-2.2: pop3: pop3-commands - harden integer parsers agains...

dovecot at dovecot.org dovecot at dovecot.org
Wed Jul 2 15:23:26 UTC 2014 

details:   http://hg.dovecot.org/dovecot-2.2/rev/2ed2ab04b63d
changeset: 17563:2ed2ab04b63d
user:      Phil Carmody <phil at dovecot.fi>
date:      Wed Jul 02 18:21:24 2014 +0300
description:
pop3: pop3-commands - harden integer parsers against integer overflow
In get_msgnum(), the invalid input "4772185884" (2^32*10/9) would be
parsed as being valid.

In get_size(), the invalid input "204963823041217240178" (2^64*10/9)
would be parsed as being valid.

We have helpers now, so use them.

Signed-off-by: Phil Carmody <phil at dovecot.fi>

diffstat:

 src/pop3/pop3-commands.c |  20 ++++++--------------
 1 files changed, 6 insertions(+), 14 deletions(-)

diffs (59 lines):

diff -r 2051de7285c4 -r 2ed2ab04b63d src/pop3/pop3-commands.c
--- a/src/pop3/pop3-commands.c	Wed Jul 02 18:21:24 2014 +0300
+++ b/src/pop3/pop3-commands.c	Wed Jul 02 18:21:24 2014 +0300
@@ -28,24 +28,20 @@
 static const char *get_msgnum(struct client *client, const char *args,
 			      unsigned int *msgnum)
 {
-	unsigned int num, last_num;
+	unsigned int num;
 
-	num = 0;
-	while (*args != '\0' && *args != ' ') {
+	if (*args != '\0' && *args != ' ') {
 		if (*args < '0' || *args > '9') {
 			client_send_line(client,
 				"-ERR Invalid message number: %s", args);
 			return NULL;
 		}
 
-		last_num = num;
-		num = num*10 + (*args - '0');
-		if (num < last_num) {
+		if (str_parse_uint(args, &num, &args) < 0) {
 			client_send_line(client,
 				"-ERR Message number too large: %s", args);
 			return NULL;
 		}
-		args++;
 	}
 
 	if (num == 0 || num > client->messages_count) {
@@ -72,24 +68,20 @@
 static const char *get_size(struct client *client, const char *args,
 			    uoff_t *size)
 {
-	uoff_t num, last_num;
+	uoff_t num;
 
-	num = 0;
-	while (*args != '\0' && *args != ' ') {
+	if (*args != '\0' && *args != ' ') {
 		if (*args < '0' || *args > '9') {
 			client_send_line(client, "-ERR Invalid size: %s",
 					 args);
 			return NULL;
 		}
 
-		last_num = num;
-		num = num*10 + (*args - '0');
-		if (num < last_num) {
+		if (str_parse_uoff(args, &num, &args) < 0) {
 			client_send_line(client, "-ERR Size too large: %s",
 					 args);
 			return NULL;
 		}
-		args++;
 	}
 
 	while (*args == ' ') args++;

More information about the dovecot-cvs mailing list