dovecot-2.2: lib-imap: number parsing simplification and hardenning

dovecot at dovecot.org dovecot at dovecot.org
Wed Jul 2 15:23:20 UTC 2014 

details:   http://hg.dovecot.org/dovecot-2.2/rev/59b6893fbf65
changeset: 17553:59b6893fbf65
user:      Phil Carmody <phil at dovecot.fi>
date:      Wed Jul 02 18:21:24 2014 +0300
description:
lib-imap: number parsing simplification and hardenning
The invalid string "4772185884" (2^32*10/9) will be misparsed as being valid.
In uint32_t's, 477218588 * 10 + 4 = 477218588
Many large ranges have this issue, 477218588x-858993459x, 954437176x-...

We have helper functions - use them.

Signed-off-by: Phil Carmody <phil at dovecot.fi>

diffstat:

 src/lib-imap/imap-url.c |  46 ++++++++--------------------------------------
 1 files changed, 8 insertions(+), 38 deletions(-)

diffs (75 lines):

diff -r 1d873182d5a8 -r 59b6893fbf65 src/lib-imap/imap-url.c
--- a/src/lib-imap/imap-url.c	Wed Jul 02 18:21:24 2014 +0300
+++ b/src/lib-imap/imap-url.c	Wed Jul 02 18:21:24 2014 +0300
@@ -128,9 +128,6 @@
 imap_url_parse_number(struct uri_parser *parser, const char *data,
 		      uint32_t *number_r)
 {
-	uint32_t number = 0;
-	const char *p = data;
-
 	/* [IMAP4] RFC3501, Section 9
 	 *
 	 * number          = 1*DIGIT
@@ -138,23 +135,11 @@
 	 *                   ; (0 <= n < 4,294,967,296)
 	 */
 
-	if (i_isdigit(*p)) {
-		do {
-			uint32_t prev = number;
-
-			number = number * 10 + (*p - '0');
-			if (number < prev) {
-				parser->error = "IMAP number is too high";
-				return -1;
-			}
-			p++;
-		} while (i_isdigit(*p));
-
-		if (*p == '\0') {
-			if (number_r != NULL)
-				*number_r = number;
+	if (i_isdigit(*data)) {
+		if (str_to_uint32(data, number_r) == 0)
 			return 1;
-		}
+		parser->error = "IMAP number is too high";
+		return -1;
 	}
 
 	parser->error = t_strdup_printf(
@@ -166,29 +151,14 @@
 imap_url_parse_offset(struct uri_parser *parser, const char *data,
 		      uoff_t *number_r)
 {
-	uoff_t number = 0;
-	const char *p = data;
-
 	/* Syntax for big (uoff_t) numbers. Not strictly IMAP syntax, but this
 	   is handled similarly for Dovecot IMAP FETCH BODY partial <.>
 	   implementation. */
-	if (i_isdigit(*p)) {
-		do {
-			uoff_t prev = number;
-
-			number = number * 10 + (*p - '0');
-			if (number < prev) {
-				parser->error = "IMAP number is too high";
-				return -1;
-			}
-			p++;
-		} while (i_isdigit(*p));
-
-		if (*p == '\0') {
-			if (number_r != NULL)
-				*number_r = number;
+	if (i_isdigit(*data)) {
+		if (str_to_uoff(data, number_r) == 0)
 			return 1;
-		}
+		parser->error = "IMAP number is too high";
+		return -1;
 	}
 
 	parser->error = t_strdup_printf(

More information about the dovecot-cvs mailing list