[Dovecot] Bug: quota-maildir.c, array accessed out of bounds

22 Apr 2006


      Timo,
In src/plugins/quota/quota-maildir.c, in the maildirsize_read() function, if the maildirsize file is greater that 5120 bytes, this code breaks because the while loop executes multiple times, incrementing size to a value larger than 5120, and then size is later used to referece the buf array out of bounds.  To fix it you could add a break statement after "size+= ret;" so that the while loop is always only executed once:
    char buf[5120+1];
    ...

    size = 0;
    while ((ret = read(fd, buf, sizeof(buf)-1)) != 0) {
            if (ret &lt; 0) {
                    if (errno == ESTALE)
                            break;
                    mail_storage_set_critical(storage, "read(%s) failed: %m",
                                              path);
            }
            size += ret;
    }
    if (ret &lt; 0 || size == sizeof(buf)-1) {
            /* error / recalculation needed. */
            (void)close(fd);
            t_pop();
            return ret &lt; 0 ? -1 : 0;
    }

    /* file is smaller than 5120 bytes, which means we can use it */
    root->total_bytes = root->total_count = 0;

    /* skip the last line if there's no LF at the end */
    while (size > 0 && buf[size-1] != '\n') size--;
    buf[size] = '\0';

[Dovecot] Bug: quota-maildir.c, array accessed out of bounds

Bill Boebel