From ba13362a52d8749731ba645e5e50e47862a5b91d Mon Sep 17 00:00:00 2001 From: Oswald Buddenhagen Date: Wed, 24 Nov 2021 17:22:04 +0100 Subject: [PATCH] deal with oversized messages in maildirs don't try to read messages > 2G, as that will only lead to trouble down the line. this wouldn't have worked on linux anyway (we read in one chunk, and that is limited to (2^31 - 2^12) on all architectures), but on platforms were big reads work, this was a security problem if one synchronized other users' maildirs. as a minor fix on the side, we now also clip the reported message size, so MaxSize works for excessively big messages. --- src/drv_maildir.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/src/drv_maildir.c b/src/drv_maildir.c index ea4195d..f916632 100644 --- a/src/drv_maildir.c +++ b/src/drv_maildir.c @@ -1168,7 +1168,8 @@ maildir_scan( maildir_store_t *ctx, msg_t_array_alloc_t *msglist ) } goto retry; } - entry->size = (uint)st.st_size; + // The clipped value is good enough for MaxSize comparisons. + entry->size = st.st_size > UINT_MAX ? UINT_MAX : (uint)st.st_size; } if (want_tuid || want_msgid) { if (!(f = fopen( buf, "r" ))) { @@ -1563,12 +1564,17 @@ maildir_fetch_msg( store_t *gctx, message_t *gmsg, msg_data_t *data, int minimal } } fstat( fd, &st ); + if (st.st_size > INT_MAX) { + error( "Maildir error: %s is too big", buf ); + goto mbad; + } data->len = st.st_size; if (data->date == -1) data->date = st.st_mtime; data->data = nfmalloc( data->len ); if (read( fd, data->data, data->len ) != data->len) { sys_error( "Maildir error: cannot read %s", buf ); + mbad: close( fd ); cb( DRV_MSG_BAD, aux ); return;