[Dovecot] [PATCH] Bad boundary check in client_find_namespace

Timo Sirainen tss at iki.fi
Thu Feb 9 05:02:02 EET 2012


On 26.9.2011, at 19.56, Christoph Bussenius wrote:

>    /* make sure two hierarchy separators aren't next to each others */
>    for (p = storage_name+1; *p != '\0'; p++) {
>    	if (p[0] == ns->real_sep && p[-1] == ns->real_sep) {
>    		client_send_tagline(cmd, "NO Invalid mailbox name.");
>    		return NULL;
>    	}
>    }
> The loop iterates over the string storage_name starting from its second
> byte.  However, the string may be "".  This is the case if you select
> the root of a namespace, like in "SELECT shared" or
> "SELECT shared/user1".  In that case, the code will read past the end of
> the buffer from random memory until it finds a zero byte or a duplicate
> separator.

I finally managed to get this far in my mail backlog. :) Yes, that's a bug. Fixed now slightly differently than you:

More information about the dovecot mailing list