Bill Boebel
2006-Apr-21 23:09 UTC
[Dovecot] Bug: quota-maildir.c, array accessed out of bounds
Timo, In src/plugins/quota/quota-maildir.c, in the maildirsize_read() function, if the maildirsize file is greater that 5120 bytes, this code breaks because the while loop executes multiple times, incrementing size to a value larger than 5120, and then size is later used to referece the buf array out of bounds. To fix it you could add a break statement after "size+= ret;" so that the while loop is always only executed once: char buf[5120+1]; ... size = 0; while ((ret = read(fd, buf, sizeof(buf)-1)) != 0) { if (ret < 0) { if (errno == ESTALE) break; mail_storage_set_critical(storage, "read(%s) failed: %m", path); } size += ret; } if (ret < 0 || size == sizeof(buf)-1) { /* error / recalculation needed. */ (void)close(fd); t_pop(); return ret < 0 ? -1 : 0; } /* file is smaller than 5120 bytes, which means we can use it */ root->total_bytes = root->total_count = 0; /* skip the last line if there's no LF at the end */ while (size > 0 && buf[size-1] != '\n') size--; buf[size] = '\0';