[Dovecot] Bug: quota-maildir.c, array accessed out of bounds
Bill Boebel
bill at webmail.us
Sat Apr 22 02:09:39 EEST 2006
Timo,
In src/plugins/quota/quota-maildir.c, in the maildirsize_read() function, if the maildirsize file is greater that 5120 bytes, this code breaks because the while loop executes multiple times, incrementing size to a value larger than 5120, and then size is later used to referece the buf array out of bounds. To fix it you could add a break statement after "size+= ret;" so that the while loop is always only executed once:
char buf[5120+1];
...
size = 0;
while ((ret = read(fd, buf, sizeof(buf)-1)) != 0) {
if (ret < 0) {
if (errno == ESTALE)
break;
mail_storage_set_critical(storage, "read(%s) failed: %m",
path);
}
size += ret;
}
if (ret < 0 || size == sizeof(buf)-1) {
/* error / recalculation needed. */
(void)close(fd);
t_pop();
return ret < 0 ? -1 : 0;
}
/* file is smaller than 5120 bytes, which means we can use it */
root->total_bytes = root->total_count = 0;
/* skip the last line if there's no LF at the end */
while (size > 0 && buf[size-1] != '\n') size--;
buf[size] = '\0';
More information about the dovecot
mailing list