[Dovecot] Bug: quota-maildir.c, array accessed out of bounds

Bill Boebel bill at webmail.us
Sat Apr 22 02:09:39 EEST 2006


Timo,

In src/plugins/quota/quota-maildir.c, in the maildirsize_read() function, if the maildirsize file is greater that 5120 bytes, this code breaks because the while loop executes multiple times, incrementing size to a value larger than 5120, and then size is later used to referece the buf array out of bounds.  To fix it you could add a break statement after "size+= ret;" so that the while loop is always only executed once:

        char buf[5120+1];
        ...

        size = 0;
        while ((ret = read(fd, buf, sizeof(buf)-1)) != 0) {
                if (ret < 0) {
                        if (errno == ESTALE)
                                break;
                        mail_storage_set_critical(storage, "read(%s) failed: %m",
                                                  path);
                }
                size += ret;
        }
        if (ret < 0 || size == sizeof(buf)-1) {
                /* error / recalculation needed. */
                (void)close(fd);
                t_pop();
                return ret < 0 ? -1 : 0;
        }

        /* file is smaller than 5120 bytes, which means we can use it */
        root->total_bytes = root->total_count = 0;

        /* skip the last line if there's no LF at the end */
        while (size > 0 && buf[size-1] != '\n') size--;
        buf[size] = '\0';



More information about the dovecot mailing list