[Dovecot] Message parser loops on certain messages (e.g. with a trailing CR character)
Timo Sirainen
tss at iki.fi
Tue Nov 5 20:19:09 EET 2013
On 5.11.2013, at 16.02, Tomasz Potega <tpotega at wp-sa.pl> wrote:
> dovecot's message parser enters an endless loop when fed with certain
> multipart messages with stray CR characters.
>
> parse_next_body_to_boundary() assumes the '\r' might be the beginning
> of a boundary line, reducing the block size by one:
Thanks, fixed: http://hg.dovecot.org/dovecot-2.2/rev/aa1aede0f7f2
> I have added a check to see if the parser is past the EOF (and omit
> reducing the block size then) as a band-aid fix, but this might call
> for a more elegant solution.
I think I did the same fix.
Also I don’t think it’s possible to normally use this as a DoS attack against users, because with mail_save_crlf=no (default) the CRs are stripped. And with mail_save_crlf=yes I’m not sure if such message can even pass through SMTP servers.
More information about the dovecot
mailing list