[Dovecot] Message parser loops on certain messages (e.g. with a trailing CR character)

Timo Sirainen tss at iki.fi
Tue Nov 5 20:19:09 EET 2013


On 5.11.2013, at 16.02, Tomasz Potega <tpotega at wp-sa.pl> wrote:

> dovecot's message parser enters an endless loop when fed with certain
> multipart messages with stray CR characters.
> 
> parse_next_body_to_boundary() assumes the '\r' might be the beginning
> of a boundary line, reducing the block size by one:

Thanks, fixed: http://hg.dovecot.org/dovecot-2.2/rev/aa1aede0f7f2

> I have added a check to see if the parser is past the EOF (and omit
> reducing the block size then) as a band-aid fix, but this might call
> for a more elegant solution.

I think I did the same fix.

Also I don’t think it’s possible to normally use this as a DoS attack against users, because with mail_save_crlf=no (default) the CRs are stripped. And with mail_save_crlf=yes I’m not sure if such message can even pass through SMTP servers.



More information about the dovecot mailing list