commit 87065c12b477ee7239dd907f352dda5289c0c919
Author: Oswald Buddenhagen <o...@users.sf.net>
Date: Mon Nov 22 20:57:24 2021 +0100
CVE-2021-44143: don't overflow heap on messages without headers
when a broken/compromised/malicious server gives us a message that
starts with an empty line, we'd enter the path for inserting a pristine
placeholder subject, for which we unfortunately didn't actually allocate
space (unless MaxSize is in use and the message exceeds it).
note that this cannot be triggered by merely receiving a crafted mail
with no headers (yes, it's actually possible to send such a thing), as
the delivery of mails adds plenty of headers.
amends 70bad661.
src/sync.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/src/sync.c b/src/sync.c
index 9804b7e..79dc223 100644
--- a/src/sync.c
+++ b/src/sync.c
@@ -410,7 +410,7 @@ copy_msg_convert( int in_cr, int out_cr, copy_vars_t *vars )
{
char *in_buf = vars->data.data;
uint in_len = vars->data.len;
- uint idx = 0, sbreak = 0, ebreak = 0, break2 = 0;
+ uint idx = 0, sbreak = 0, ebreak = 0, break2 = UINT_MAX;
uint lines = 0, hdr_crs = 0, bdy_crs = 0, app_cr = 0, extra = 0;
uint add_subj = 0;
@@ -428,7 +428,7 @@ copy_msg_convert( int in_cr, int out_cr, copy_vars_t *vars )
if (!vars->minimal)
goto oke;
} else {
- if (!break2 && vars->minimal &&
!strncasecmp( in_buf + start, "Subject:", 8 )) {
+ if (break2 == UINT_MAX && vars->minimal
&& !strncasecmp( in_buf + start, "Subject:", 8 )) {
break2 = start + 8;
if (in_buf[break2] == ' ')
break2++;
@@ -441,7 +441,7 @@ copy_msg_convert( int in_cr, int out_cr, copy_vars_t *vars )
sbreak = ebreak = start;
if (vars->minimal) {
in_len = idx;
- if (!break2) {
+ if (break2 == UINT_MAX) {
break2 = start;
add_subj = 1;
}
@@ -496,7 +496,7 @@ copy_msg_convert( int in_cr, int out_cr, copy_vars_t *vars )
char *out_buf = vars->data.data = nfmalloc( vars->data.len );
idx = 0;
if (vars->srec) {
- if (break2 && break2 < sbreak) {
+ if (break2 < sbreak) {
copy_msg_bytes( &out_buf, in_buf, &idx, break2, in_cr,
out_cr );
memcpy( out_buf, dummy_pfx, strlen(dummy_pfx) );
out_buf += strlen(dummy_pfx);
@@ -512,7 +512,7 @@ copy_msg_convert( int in_cr, int out_cr, copy_vars_t *vars )
*out_buf++ = '\n';
idx = ebreak;
- if (break2 >= sbreak) {
+ if (break2 != UINT_MAX && break2 >= sbreak) {
copy_msg_bytes( &out_buf, in_buf, &idx, break2, in_cr,
out_cr );
if (!add_subj) {
memcpy( out_buf, dummy_pfx, strlen(dummy_pfx) );
_______________________________________________
isync-devel mailing list
isync-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/isync-devel
