Skip to content

Commit

Permalink
lib-mail: Fix out-of-bounds read when parsing an invalid email address
Browse files Browse the repository at this point in the history 
The included unit test doesn't fail, but running it with valgrind shows
"Invalid read of size 1" error.

Broken in d6737a1

Discovered by Aleksandar Nikolic of Cisco Talos
  • Loading branch information
@sirainen @villesavolainen
sirainen authored and villesavolainen committed Mar 6, 2018
1 parent df4c280 commit 60ec9c9
Show file tree
Hide file tree
Showing 2 changed files with 12 additions and 1 deletion.
3 changes: 2 additions & 1 deletion src/lib-mail/message-address.c
View file
Expand Up @@ -221,7 +221,8 @@ static int parse_addr_spec(struct message_address_parser_context *ctx)
/* end of input or parsing local-part failed */
ctx->addr.invalid_syntax = TRUE;
}
if (ret != 0 && *ctx->parser.data == '@') {
if (ret != 0 && ctx->parser.data != ctx->parser.end &&
*ctx->parser.data == '@') {
ret2 = parse_domain(ctx);
if (ret2 <= 0)
ret = ret2;
Expand Down
10 changes: 10 additions & 0 deletions src/lib-mail/test-message-address.c
View file
Expand Up @@ -198,6 +198,16 @@ static void test_message_address(void)
{ "<@>", "", "<INVALID_ROUTE:MISSING_MAILBOX@MISSING_DOMAIN>",
{ NULL, NULL, NULL, "", "", TRUE },
{ NULL, NULL, "INVALID_ROUTE", "MISSING_MAILBOX", "MISSING_DOMAIN", TRUE }, 0 },

/* Test against a out-of-bounds read bug - keep these two tests
together in this same order: */
{ "aaaa@", "<aaaa>", "<aaaa@MISSING_DOMAIN>",
{ NULL, NULL, NULL, "aaaa", "", TRUE },
{ NULL, NULL, NULL, "aaaa", "MISSING_DOMAIN", TRUE }, 0 },
{ "a(aa", "", "<MISSING_MAILBOX@MISSING_DOMAIN>",
{ NULL, NULL, NULL, "", "", TRUE },
{ NULL, NULL, NULL, "MISSING_MAILBOX", "MISSING_DOMAIN", TRUE },
TEST_MESSAGE_ADDRESS_FLAG_SKIP_LIST },
};
static struct message_address group_prefix = {
NULL, NULL, NULL, "group", NULL, FALSE
Expand Down

0 comments on commit 60ec9c9

Please sign in to comment.