[dovecot-cvs] dovecot/src/plugins/quota quota-maildir.c,1.6,1.7
cras at dovecot.org
cras at dovecot.org
Sat Apr 22 12:34:59 EEST 2006
Update of /var/lib/cvs/dovecot/src/plugins/quota
In directory talvi:/tmp/cvs-serv30976
Modified Files:
quota-maildir.c
Log Message:
Fixed a buffer overflow if maildirsize was over 5120 bytes long. Luckily
almost no-one used maildir++ quota yet and the bug is highly unlikely to be
exploitable anyway.
Index: quota-maildir.c
===================================================================
RCS file: /var/lib/cvs/dovecot/src/plugins/quota/quota-maildir.c,v
retrieving revision 1.6
retrieving revision 1.7
diff -u -d -r1.6 -r1.7
--- quota-maildir.c 21 Apr 2006 14:09:43 -0000 1.6
+++ quota-maildir.c 22 Apr 2006 09:34:57 -0000 1.7
@@ -319,7 +319,7 @@
if (*lines == NULL)
return -1;
- /* first line contains the limits. 0 value mean unlimited. */
+ /* first line contains the limits */
message_bytes_limit = (uint64_t)-1;
message_count_limit = (uint64_t)-1;
for (limit = t_strsplit(lines[0], ","); *limit != NULL; limit++) {
@@ -327,12 +327,10 @@
if (pos[0] != '\0' && pos[1] == '\0') {
switch (pos[0]) {
case 'C':
- if (bytes != 0)
- message_count_limit = bytes;
+ message_count_limit = bytes;
break;
case 'S':
- if (bytes != 0)
- message_bytes_limit = bytes;
+ message_bytes_limit = bytes;
break;
}
}
@@ -418,8 +416,10 @@
return ret;
}
+ /* @UNSAFE */
size = 0;
- while ((ret = read(fd, buf, sizeof(buf)-1)) != 0) {
+ while (size < sizeof(buf)-1 &&
+ (ret = read(fd, buf + size, sizeof(buf)-1 - size)) != 0) {
if (ret < 0) {
if (errno == ESTALE)
break;
@@ -428,7 +428,7 @@
}
size += ret;
}
- if (ret < 0 || size == sizeof(buf)-1) {
+ if (ret < 0 || size >= sizeof(buf)-1) {
/* error / recalculation needed. */
(void)close(fd);
t_pop();
More information about the dovecot-cvs
mailing list