I've found a segfault condition with extremely large header fields (100+
BCC entries. Yes, BCC, it was a malformed spam). This exists in RC7 and
to the best of my testing, prior versions. Any program (ie, PHP) linking
to c-client will segfault when it encounters an invalid email of this type.
The problem lies in the parsing done by imap_parse_string in
c-client/imap4r1.c:4123.
The test:
if (!c || (c & 0x80)) { /* server bogon */
looks for c == 0, end of string as well as invalid characters, however it
then does a loop, incrementing past the end of the array. The quick and
dirty fix is to add:
---
if (!c || (c & 0x80)) { /* server bogon */
sprintf (LOCAL->tmp,"Invalid CHAR in quoted string: %x",
(unsigned int) c);
mm_log (LOCAL->tmp,WARN);
+ /* URMK - hacked in to try to prevent a crashing bug... */
+ if (c == 0)
+ break;
do { /* search for end with no further check */
---
This solves the crash and returns an error. There may be a more appropriate
way to handle it.
This showed up under linux/390 with spam mails with very long header fields
and IBM's VM IMAP server.
-m
--
Michael Kershaw
[EMAIL PROTECTED]
Linux Systems Programmer, Information Technology
"Don't worry, I'm sure they'll listen to Reason." -- Fisheye, Snowcrash
--
------------------------------------------------------------------
For information about this mailing list, and its archives, see:
http://www.washington.edu/imap/c-client-list.html
------------------------------------------------------------------
