Out of bounds read error in wildcard_match.c

Hanno Böck hanno at hboeck.de
Sat Jun 27 16:05:53 UTC 2015


I discovered an out of bounds read error in the file wildcard_match.c.
Here's the code:
   /* find the end of each string */
   while (*(++mask));
   while (*(++data));

The problem with this: It will search for the end of the strings
(zero-terminated), but it'll only start at position 1, not at position
0 (because the ++ in front of the variable will first increment and
then return the value). However these strings can be empty.

This can be fixed by changing ++mask to mask++ (and same for data),
then there must be a -=2 instead of -- afterwards. See attached patch.

I found this by compiling dovecot with address sanitizer and running
the test suite.

Hanno Böck

mail/jabber: hanno at hboeck.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: dovecot-2.2.18-oob-wildcard-match.diff
Type: text/x-patch
Size: 506 bytes
Desc: not available
URL: <http://dovecot.org/pipermail/dovecot/attachments/20150627/7ef41c31/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://dovecot.org/pipermail/dovecot/attachments/20150627/7ef41c31/attachment.sig>

More information about the dovecot mailing list