deal with oversized messages in maildirs

don't try to read messages > 2G, as that will only lead to trouble down
the line.

this wouldn't have worked on linux anyway (we read in one chunk, and
that is limited to (2^31 - 2^12) on all architectures), but on
platforms were big reads work, this was a security problem if one
synchronized other users' maildirs.

as a minor fix on the side, we now also clip the reported message size,
so MaxSize works for excessively big messages.
This commit is contained in:
Oswald Buddenhagen 2021-11-24 17:22:04 +01:00
parent 463272eab8
commit ba13362a52

View File

@ -1168,7 +1168,8 @@ maildir_scan( maildir_store_t *ctx, msg_t_array_alloc_t *msglist )
} }
goto retry; goto retry;
} }
entry->size = (uint)st.st_size; // The clipped value is good enough for MaxSize comparisons.
entry->size = st.st_size > UINT_MAX ? UINT_MAX : (uint)st.st_size;
} }
if (want_tuid || want_msgid) { if (want_tuid || want_msgid) {
if (!(f = fopen( buf, "r" ))) { if (!(f = fopen( buf, "r" ))) {
@ -1563,12 +1564,17 @@ maildir_fetch_msg( store_t *gctx, message_t *gmsg, msg_data_t *data, int minimal
} }
} }
fstat( fd, &st ); fstat( fd, &st );
if (st.st_size > INT_MAX) {
error( "Maildir error: %s is too big", buf );
goto mbad;
}
data->len = st.st_size; data->len = st.st_size;
if (data->date == -1) if (data->date == -1)
data->date = st.st_mtime; data->date = st.st_mtime;
data->data = nfmalloc( data->len ); data->data = nfmalloc( data->len );
if (read( fd, data->data, data->len ) != data->len) { if (read( fd, data->data, data->len ) != data->len) {
sys_error( "Maildir error: cannot read %s", buf ); sys_error( "Maildir error: cannot read %s", buf );
mbad:
close( fd ); close( fd );
cb( DRV_MSG_BAD, aux ); cb( DRV_MSG_BAD, aux );
return; return;