Hi, I discovered an out of bounds read error in the file wildcard_match.c. Here's the code: /* find the end of each string */ while (*(++mask)); mask--; while (*(++data)); data--;
The problem with this: It will search for the end of the strings (zero-terminated), but it'll only start at position 1, not at position 0 (because the ++ in front of the variable will first increment and then return the value). However these strings can be empty. This can be fixed by changing ++mask to mask++ (and same for data), then there must be a -=2 instead of -- afterwards. See attached patch. I found this by compiling dovecot with address sanitizer and running the test suite. cu, -- Hanno Böck http://hboeck.de/ mail/jabber: [email protected] GPG: BBB51E42
--- ./dovecot-2.2.18/src/lib/wildcard-match.c 2014-08-20 11:47:58.000000000 +0200
+++ ./dovecot-2.2.18-patch/src/lib/wildcard-match.c 2015-06-27 18:01:43.179991109 +0200
@@ -35,10 +35,10 @@
return ma[0] == '\0' ? MATCH : NOMATCH;
}
/* find the end of each string */
- while (*(++mask));
- mask--;
- while (*(++data));
- data--;
+ while (*(mask++));
+ mask-=2;
+ while (*(data++));
+ data-=2;
while (data >= na) {
/* If the mask runs out of chars before the string, fall back on
pgpCLvqAFmxkZ.pgp
Description: OpenPGP digital signature
