Skip to content
Permalink
Browse files

lib-mail: Fix out-of-bounds read when parsing an invalid email address

The included unit test doesn't fail, but running it with valgrind shows
"Invalid read of size 1" error.

Broken in d6737a1

Discovered by Aleksandar Nikolic of Cisco Talos
  • Loading branch information...
sirainen committed Dec 22, 2017
1 parent 8d65e23 commit b72d864b8c34cb21076214c0b28101baec530141
Showing with 12 additions and 1 deletion.
  1. +2 −1 src/lib-mail/message-address.c
  2. +10 −0 src/lib-mail/test-message-address.c
@@ -221,7 +221,8 @@ static int parse_addr_spec(struct message_address_parser_context *ctx)
/* end of input or parsing local-part failed */
ctx->addr.invalid_syntax = TRUE;
}
if (ret != 0 && *ctx->parser.data == '@') {
if (ret != 0 && ctx->parser.data != ctx->parser.end &&
*ctx->parser.data == '@') {
ret2 = parse_domain(ctx);
if (ret2 <= 0)
ret = ret2;
@@ -198,6 +198,16 @@ static void test_message_address(void)
{ "<@>", "", "<INVALID_ROUTE:MISSING_MAILBOX@MISSING_DOMAIN>",
{ NULL, NULL, NULL, "", "", TRUE },
{ NULL, NULL, "INVALID_ROUTE", "MISSING_MAILBOX", "MISSING_DOMAIN", TRUE }, 0 },

/* Test against a out-of-bounds read bug - keep these two tests
together in this same order: */
{ "aaaa@", "<aaaa>", "<aaaa@MISSING_DOMAIN>",
{ NULL, NULL, NULL, "aaaa", "", TRUE },
{ NULL, NULL, NULL, "aaaa", "MISSING_DOMAIN", TRUE }, 0 },
{ "a(aa", "", "<MISSING_MAILBOX@MISSING_DOMAIN>",
{ NULL, NULL, NULL, "", "", TRUE },
{ NULL, NULL, NULL, "MISSING_MAILBOX", "MISSING_DOMAIN", TRUE },
TEST_MESSAGE_ADDRESS_FLAG_SKIP_LIST },
};
static struct message_address group_prefix = {
NULL, NULL, NULL, "group", NULL, FALSE

0 comments on commit b72d864

Please sign in to comment.
You can’t perform that action at this time.