[dovecot-cvs] dovecot/src/lib-index mail-index.c, 1.230.2.15, 1.230.2.16

tss at dovecot.org tss at dovecot.org
Tue Jan 23 09:57:57 UTC 2007 

Update of /var/lib/cvs/dovecot/src/lib-index
In directory talvi:/tmp/cvs-serv1898

Modified Files:
      Tag: branch_1_0
	mail-index.c 
Log Message:
mmap_disable=yes: Verify that header_size and messages_count are low enough
so we don't try to allocate too much memory.



Index: mail-index.c
===================================================================
RCS file: /var/lib/cvs/dovecot/src/lib-index/mail-index.c,v
retrieving revision 1.230.2.15
retrieving revision 1.230.2.16
diff -u -d -r1.230.2.15 -r1.230.2.16
--- mail-index.c	17 Jan 2007 23:33:26 -0000	1.230.2.15
+++ mail-index.c	23 Jan 2007 09:57:55 -0000	1.230.2.16
@@ -724,10 +724,12 @@
 		    bool *retry_r, bool try_retry)
 {
 	const struct mail_index_header *hdr;
+	struct stat st;
 	unsigned char buf[512];
 	void *data = NULL;
 	ssize_t ret;
-	size_t pos, records_size;
+	size_t pos;
+	unsigned int records_size, records_count;
 
 	i_assert(map->mmap_base == NULL);
 
@@ -741,6 +743,11 @@
 		return 0;
 	}
 
+	if (fstat(index->fd, &st) < 0) {
+		mail_index_set_syscall_error(index, "fstat()");
+		return -1;
+	}
+
 	if (ret >= 0 && pos >= MAIL_INDEX_HEADER_MIN_SIZE &&
 	    (ret > 0 || pos >= hdr->base_header_size)) {
 		if (hdr->base_header_size < MAIL_INDEX_HEADER_MIN_SIZE ||
@@ -751,6 +758,13 @@
 				hdr->header_size);
 			return 0;
 		}
+		if (hdr->header_size > st.st_size) {
+			mail_index_set_error(index, "Corrupted index file %s: "
+				"Corrupted header size (%u > %"PRIuUOFF_T")",
+				index->filepath, hdr->header_size,
+				st.st_size);
+			return 0;
+		}
 
 		if (pos > hdr->header_size)
 			pos = hdr->header_size;
@@ -773,6 +787,17 @@
 		/* header read, read the records now. */
 		records_size = hdr->messages_count * hdr->record_size;
 
+		if (st.st_size - hdr->header_size < records_size ||
+		    records_size / hdr->messages_count != hdr->record_size) {
+			records_count = (st.st_size - hdr->header_size) /
+				hdr->record_size;
+			mail_index_set_error(index, "Corrupted index file %s: "
+				"messages_count too large (%u > %u)",
+				index->filepath, hdr->messages_count,
+				records_count);
+			return 0;
+		}
+
 		if (map->buffer == NULL) {
 			map->buffer = buffer_create_dynamic(default_pool,
 							    records_size);

More information about the dovecot-cvs mailing list