On Tue, Apr 16, 2024 at 06:08:05PM +0200, René Scharfe wrote: > > Shouldn't socket_write() just use size_t / ssize_t? > > Probably size_t. Yes, but you need ssize_t to handle the negative return values. > > In particular, this made me wonder what we would do for larger items. > > Like, say, the actual message to be uploaded. And indeed, we use a > > strbuf to read in the messages and pass the whole buffer for each to > > socket_write(). So we'd possibly quietly truncate such a message. > > Hmm, perhaps we should at least sprinkle in some more overflow checks? Perhaps, but... > > Fixing it is a little more complicated than switching to size_t, because > > the underlying SSL_write() uses an int. So we'd probably need some > > looping, similar to xwrite(). > > Or SSL_write_ex(), which takes and returns size_t. It was added in > OpenSSL 1.1.1, which reached its end of life half a year ago. > > https://www.openssl.org/docs/man1.1.1/man3/SSL_write.html > https://www.openssl.org/blog/blog/2023/03/28/1.1.1-EOL/ You'd think that when I ran "man SSL_write" while writing the other email I would have noticed that SSL_write_ex() is mentioned right there in the synopsis. But somehow I didn't. I don't think we document a required version for ssl. That version is "only" 5.5 years old, but I think it would be OK here (especially given that imap-send is an optional component with a build-time knob). In which case I think fixing socket_write() would fix this problem, and then building your other patch on top, it doesn't need to worry about INT_MAX at all. Looking at the conversion, I think there's a slight gotcha with retaining the "0" return value from SSL_write_ex() to pass to socket_perror() in the error path. Which makes me wonder about that error path at all; it closes descriptors but doesn't handle SSL at all. Should it be using socket_shutdown()? And should that function set sock->ssl to NULL and the descriptors to -1? The rabbit hole of imap-send is infinite. > > In practice I doubt this is ever an issue. 2GB emails are not likely to > > be usable in general. > > Tough. Who likes to get multi-GB patches in their inbox? Heard of > people exchanging CD images by email decades ago, though, so I > wouldn't rule this out totally. Perhaps that's the last puzzle piece > to convert game studios to perform email reviews of asset-heavy > binary diffs? ;-) OK, I laughed out loud at this. Perhaps a sign of too much Git. -Peff
