[Dovecot] [PATCH] Bad boundary check in client_find_namespace
Timo Sirainen
tss at iki.fi
Thu Feb 9 05:02:02 EET 2012
Hi,
On 26.9.2011, at 19.56, Christoph Bussenius wrote:
> /* make sure two hierarchy separators aren't next to each others */
> for (p = storage_name+1; *p != '\0'; p++) {
> if (p[0] == ns->real_sep && p[-1] == ns->real_sep) {
> client_send_tagline(cmd, "NO Invalid mailbox name.");
> return NULL;
> }
> }
>
> The loop iterates over the string storage_name starting from its second
> byte. However, the string may be "". This is the case if you select
> the root of a namespace, like in "SELECT shared" or
> "SELECT shared/user1". In that case, the code will read past the end of
> the buffer from random memory until it finds a zero byte or a duplicate
> separator.
I finally managed to get this far in my mail backlog. :) Yes, that's a bug. Fixed now slightly differently than you:
http://hg.dovecot.org/dovecot-2.0/rev/d406e376f8ee
More information about the dovecot
mailing list