[Dovecot] [PATCH] Bad boundary check in client_find_namespace
Hi, while trying to investigate the bug I reported last week, I found that there is a broken boundary check in client_find_namespace in src/imap/imap-commands-util.c. The code is: /* make sure two hierarchy separators aren't next to each others */ for (p = storage_name+1; *p != '\0'; p++) { if (p[0] == ns->real_sep && p[-1] == ns->real_sep) { client_send_tagline(cmd, "NO Invalid mailbox name."); return NULL; } } The loop iterates over the string storage_name starting from its second byte. However, the string may be "". This is the case if you select the root of a namespace, like in "SELECT shared" or "SELECT shared/user1". In that case, the code will read past the end of the buffer from random memory until it finds a zero byte or a duplicate separator. This would fix it: diff -ru dovecot-2.0.15.orig/src/imap/imap-commands-util.c dovecot-2.0.15/src/imap/imap-commands-util.c --- dovecot-2.0.15.orig/src/imap/imap-commands-util.c 2011-08-02 12:29:37.000000000 +0200 +++ dovecot-2.0.15/src/imap/imap-commands-util.c 2011-09-26 18:33:16.121917759 +0200 @@ -81,7 +81,9 @@ } /* make sure two hierarchy separators aren't next to each others */ - for (p = storage_name+1; *p != '\0'; p++) { + for (p = storage_name; *p != '\0'; p++) { + if (p == storage_name) + continue; if (p[0] == ns->real_sep && p[-1] == ns->real_sep) { client_send_tagline(cmd, "NO Invalid mailbox name."); return NULL; Cheers, Christoph Bußenius -- Christoph Bußenius Rechnerbetriebsgruppe der Fakultäten Informatik und Mathematik TU München +49 89-289-18519 <> Raum 00.05.055 <> Boltzmannstr. 3 <> Garching
Hi,
On 26.9.2011, at 19.56, Christoph Bussenius wrote:
/* make sure two hierarchy separators aren't next to each others */ for (p = storage_name+1; *p != '\0'; p++) { if (p[0] == ns->real_sep && p[-1] == ns->real_sep) { client_send_tagline(cmd, "NO Invalid mailbox name."); return NULL; } }
The loop iterates over the string storage_name starting from its second byte. However, the string may be "". This is the case if you select the root of a namespace, like in "SELECT shared" or "SELECT shared/user1". In that case, the code will read past the end of the buffer from random memory until it finds a zero byte or a duplicate separator.
I finally managed to get this far in my mail backlog. :) Yes, that's a bug. Fixed now slightly differently than you: http://hg.dovecot.org/dovecot-2.0/rev/d406e376f8ee
Hi,
I'm glad to see my report finally arrive, thank you :)
On 09.02.2012 04:02, Timo Sirainen wrote:
Fixed now slightly differently than you:
No problem – I agree that my code was a bit kludgy.
I noticed that my original mail might be a bit unclear:
while trying to investigate the bug I reported last week, I found that there is a broken boundary check
So I just want to make clear that this patch does not fix the other problem that I reported at http://www.dovecot.org/list/dovecot/2011-September/061316.html (“Strange behavior from shared namespaces and INBOX, probably a bug”).
Cheers, Christoph
-- Christoph Bußenius Rechnerbetriebsgruppe der Fakultäten Informatik und Mathematik TU München +49 89-289-18519 <> Raum 00.05.055 <> Boltzmannstr. 3 <> Garching
participants (3)
-
Christoph Bussenius
-
Christoph Bußenius
-
Timo Sirainen