dovecot-2.2: pop3: Fixed buffer overflow with handling pop3_dele...

dovecot at dovecot.org dovecot at dovecot.org
Fri Oct 2 15:32:29 UTC 2015 

details:   http://hg.dovecot.org/dovecot-2.2/rev/05e0700daea3
changeset: 19278:05e0700daea3
user:      Timo Sirainen <tss at iki.fi>
date:      Fri Oct 02 18:30:22 2015 +0300
description:
pop3: Fixed buffer overflow with handling pop3_deleted_flag setting.
This has been broken since v2.2.10, although the setting wasn't working
completely correctly before that version either. Afterwards it should have
become obvious quickly enough that the setting is broken, because it started
crashing POP3 sessions in normal use quite soon. So I doubt there are any
installations that are accidentally exploitable.

diffstat:

 src/pop3/pop3-client.c   |  2 ++
 src/pop3/pop3-client.h   |  1 +
 src/pop3/pop3-commands.c |  3 ++-
 3 files changed, 5 insertions(+), 1 deletions(-)

diffs (43 lines):

diff -r 7a7111a5ce5e -r 05e0700daea3 src/pop3/pop3-client.c
--- a/src/pop3/pop3-client.c	Fri Oct 02 12:23:22 2015 +0300
+++ b/src/pop3/pop3-client.c	Fri Oct 02 18:30:22 2015 +0300
@@ -193,6 +193,8 @@
 		if ((mail_get_flags(mail) & MAIL_SEEN) != 0)
 			client->last_seen_pop3_msn = msgnum + 1;
 		client->total_size += size;
+		if (client->highest_seq < mail->seq)
+			client->highest_seq = mail->seq;
 
 		array_append(&message_sizes, &size, 1);
 		msgnum++;
diff -r 7a7111a5ce5e -r 05e0700daea3 src/pop3/pop3-client.h
--- a/src/pop3/pop3-client.h	Fri Oct 02 12:23:22 2015 +0300
+++ b/src/pop3/pop3-client.h	Fri Oct 02 18:30:22 2015 +0300
@@ -69,6 +69,7 @@
 
 	/* All sequences currently visible in the mailbox. */
 	ARRAY_TYPE(seq_range) all_seqs;
+	uint32_t highest_seq;
 
 	/* [msgnum] contains mail seq. anything after it has seq = msgnum+1 */
 	uint32_t *msgnum_to_seq_map;
diff -r 7a7111a5ce5e -r 05e0700daea3 src/pop3/pop3-commands.c
--- a/src/pop3/pop3-commands.c	Fri Oct 02 12:23:22 2015 +0300
+++ b/src/pop3/pop3-commands.c	Fri Oct 02 18:30:22 2015 +0300
@@ -796,7 +796,7 @@
 	client->uidl_pool = pool_alloconly_create("message uidls", 1024);
 
 	/* first read all the UIDLs into a temporary [seq] array */
-	seq_uidls = i_new(const char *, client->messages_count);
+	seq_uidls = i_new(const char *, client->highest_seq);
 	str = t_str_new(128);
 	while (mailbox_search_next(search_ctx, &mail)) {
 		str_truncate(str, 0);
@@ -811,6 +811,7 @@
 		if (client->set->pop3_save_uidl && !permanent_uidl)
 			mail_update_pop3_uidl(mail, uidl);
 
+		i_assert(mail->seq <= client->highest_seq);
 		seq_uidls[mail->seq-1] = uidl;
 		if (uidl_duplicates_rename)
 			hash_table_insert(prev_uidls, uidl, POINTER_CAST(1));

More information about the dovecot-cvs mailing list