c9ace8
From 58ffd3e8a02e54fc98b6be78e02b0511ee9263eb Mon Sep 17 00:00:00 2001
c9ace8
From: Timo Sirainen <timo.sirainen@open-xchange.com>
c9ace8
Date: Fri, 10 May 2019 19:24:51 +0300
c9ace8
Subject: [PATCH 1/2] lib-imap: Don't accept strings with NULs
c9ace8
c9ace8
IMAP doesn't allow NULs except in binary literals. We'll still allow them
c9ace8
in regular literals as well, but just not in strings.
c9ace8
c9ace8
This fixes a bug with unescaping a string with NULs: str_unescape() could
c9ace8
have been called for memory that points outside the allocated string,
c9ace8
causing heap corruption. This could cause crashes or theoretically even
c9ace8
result in remote code execution exploit.
c9ace8
c9ace8
Found by Nick Roessler and Rafi Rubin
c9ace8
---
c9ace8
 src/lib-imap/imap-parser.c | 6 ++++++
c9ace8
 1 file changed, 6 insertions(+)
c9ace8
c9ace8
diff --git a/src/lib-imap/imap-parser.c b/src/lib-imap/imap-parser.c
c9ace8
index dddf55189..f41668d7a 100644
c9ace8
--- a/src/lib-imap/imap-parser.c
c9ace8
+++ b/src/lib-imap/imap-parser.c
c9ace8
@@ -363,6 +363,11 @@ static bool imap_parser_read_string(struct imap_parser *parser,
c9ace8
 			break;
c9ace8
 		}
c9ace8
 
c9ace8
+		if (data[i] == '\0') {
c9ace8
+			parser->error = "NULs not allowed in strings";
c9ace8
+			return FALSE;
c9ace8
+		}
c9ace8
+
c9ace8
 		if (data[i] == '\\') {
c9ace8
 			if (i+1 == data_size) {
c9ace8
 				/* known data ends with '\' - leave it to
c9ace8
-- 
c9ace8
2.11.0
c9ace8