Hi,
On 26.9.2011, at 19.56, Christoph Bussenius wrote:
/* make sure two hierarchy separators aren't next to each others */ for (p = storage_name+1; *p != '\0'; p++) { if (p[0] == ns->real_sep && p[-1] == ns->real_sep) { client_send_tagline(cmd, "NO Invalid mailbox name."); return NULL; } }
The loop iterates over the string storage_name starting from its second byte. However, the string may be "". This is the case if you select the root of a namespace, like in "SELECT shared" or "SELECT shared/user1". In that case, the code will read past the end of the buffer from random memory until it finds a zero byte or a duplicate separator.
I finally managed to get this far in my mail backlog. :) Yes, that's a bug. Fixed now slightly differently than you: http://hg.dovecot.org/dovecot-2.0/rev/d406e376f8ee