CVE-2021-3657: reject excessively large IMAP literals

we didn't limit the 32-bit size of literals so far, which, given that we
use int-sized lengths & offsets, permitted all kinds of buffer
overflows. malicious/compromised servers may have been able to exploit
this. actual email senders would be constrained by size limits for
delivered mails, and to cause more than a crash they'd have to predict
the exact size of the final message.

we now limit to 2GB, which, given that we use unsigned ints since
e2d3b4d55 (v1.4.0), gives the handlers downstream plenty of headroom.

an alternative would have been using 64-bit offsets, but this seems like
major overkill, even if IMAP4rev2 recently mandated it (we talk only
IMAP4rev1, so we can ignore it).
This commit is contained in:
Oswald Buddenhagen 2021-11-24 19:21:48 +01:00
parent 87065c12b4
commit 463272eab8

View File

@ -877,6 +877,11 @@ parse_imap_list( imap_store_t *ctx, char **sp, parse_list_state_t *sts )
bytes = (int)(cur->len = strtoul( s + 1, &s, 10 ));
if (*s != '}' || *++s)
goto bail;
if ((uint)bytes >= INT_MAX) {
error( "IMAP error: excessively large literal from %s "
"- THIS MIGHT BE AN ATTEMPT TO HACK YOU!\n", ctx->conn.name );
goto bail;
}
s = cur->val = nfmalloc( cur->len + 1 );
s[cur->len] = 0;