commit ba13362a52d8749731ba645e5e50e47862a5b91d
parent 463272eab866a36162fe51813327ca7af2f37ca0
Author: Oswald Buddenhagen <ossi@users.sf.net>
Date: Wed, 24 Nov 2021 17:22:04 +0100
deal with oversized messages in maildirs
don't try to read messages > 2G, as that will only lead to trouble down
the line.
this wouldn't have worked on linux anyway (we read in one chunk, and
that is limited to (2^31 - 2^12) on all architectures), but on
platforms were big reads work, this was a security problem if one
synchronized other users' maildirs.
as a minor fix on the side, we now also clip the reported message size,
so MaxSize works for excessively big messages.
Diffstat:
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/src/drv_maildir.c b/src/drv_maildir.c
@@ -1168,7 +1168,8 @@ maildir_scan( maildir_store_t *ctx, msg_t_array_alloc_t *msglist )
}
goto retry;
}
- entry->size = (uint)st.st_size;
+ // The clipped value is good enough for MaxSize comparisons.
+ entry->size = st.st_size > UINT_MAX ? UINT_MAX : (uint)st.st_size;
}
if (want_tuid || want_msgid) {
if (!(f = fopen( buf, "r" ))) {
@@ -1563,12 +1564,17 @@ maildir_fetch_msg( store_t *gctx, message_t *gmsg, msg_data_t *data, int minimal
}
}
fstat( fd, &st );
+ if (st.st_size > INT_MAX) {
+ error( "Maildir error: %s is too big", buf );
+ goto mbad;
+ }
data->len = st.st_size;
if (data->date == -1)
data->date = st.st_mtime;
data->data = nfmalloc( data->len );
if (read( fd, data->data, data->len ) != data->len) {
sys_error( "Maildir error: cannot read %s", buf );
+ mbad:
close( fd );
cb( DRV_MSG_BAD, aux );
return;