On 5.11.2013, at 16.02, Tomasz Potega <tpotega@wp-sa.pl> wrote:
dovecot's message parser enters an endless loop when fed with certain multipart messages with stray CR characters.
parse_next_body_to_boundary() assumes the '\r' might be the beginning of a boundary line, reducing the block size by one:
Thanks, fixed: http://hg.dovecot.org/dovecot-2.2/rev/aa1aede0f7f2
I have added a check to see if the parser is past the EOF (and omit reducing the block size then) as a band-aid fix, but this might call for a more elegant solution.
I think I did the same fix.
Also I don’t think it’s possible to normally use this as a DoS attack against users, because with mail_save_crlf=no (default) the CRs are stripped. And with mail_save_crlf=yes I’m not sure if such message can even pass through SMTP servers.