Re: [PATCH] imap-send: increase command size limit

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sun, Apr 14, 2024 at 06:47:52PM +0200, René Scharfe wrote:

> While 1KB is plenty for user names, passwords and mailbox names,
> there's no point in limiting our commands like that.  Call xstrvfmt()
> instead of open-coding it and use strbuf to format the command to
> send, as we need its length.  Fail hard if it exceeds INT_MAX, because
> socket_write() can't take more than that.

Hmm. I applaud your attention to detail, but this INT_MAX thing is ugly. ;)
Shouldn't socket_write() just use size_t / ssize_t?

In particular, this made me wonder what we would do for larger items.
Like, say, the actual message to be uploaded. And indeed, we use a
strbuf to read in the messages and pass the whole buffer for each to
socket_write(). So we'd possibly quietly truncate such a message.

Fixing it is a little more complicated than switching to size_t, because
the underlying SSL_write() uses an int. So we'd probably need some
looping, similar to xwrite().

In practice I doubt this is ever an issue. 2GB emails are not likely to
be usable in general. And I kind of doubt that this is a reasonable
vector for attacks, since the inputs to imap-send would generally come
from the user themselves (and certainly truncating the attack message is
probably not that interesting, though I imagine one could convince
write_in_full() to do an out-of-bounds read as a size_t becomes a
negative int which becomes a large size_t again).

So I am happy enough with this (especially given my general opinions of
imap-send in the first place).

-Peff




[Index of Archives]     [Linux Kernel Development]     [Gcc Help]     [IETF Annouce]     [DCCP]     [Netdev]     [Networking]     [Security]     [V4L]     [Bugtraq]     [Yosemite]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux SCSI]     [Fedora Users]

  Powered by Linux