dovecot-2.2: lib: uri-util - hardern uri_parse_dec_octet() again...

[dovecot at dovecot.org]

details:   http://hg.dovecot.org/dovecot-2.2/rev/439bba739c49
changeset: 17561:439bba739c49
user:      Phil Carmody <phil at dovecot.fi>
date:      Wed Jul 02 18:21:24 2014 +0300
description:
lib: uri-util - hardern uri_parse_dec_octet() against overflow
Invalid input 284 (2^8*10/9) is incorrectly parsed as valid.
28 * 10 + 4 = 284 == 28 (mod 2^8), so the wrap detection fails.

Signed-off-by: Phil Carmody <phil at dovecot.fi>

diffstat:

 src/lib/uri-util.c |  6 ++----
 1 files changed, 2 insertions(+), 4 deletions(-)

diffs (24 lines):

diff -r a39ccb12c14f -r 439bba739c49 src/lib/uri-util.c
--- a/src/lib/uri-util.c	Wed Jul 02 18:21:24 2014 +0300
+++ b/src/lib/uri-util.c	Wed Jul 02 18:21:24 2014 +0300
@@ -258,7 +258,7 @@
 uri_parse_dec_octet(struct uri_parser *parser, string_t *literal,
 		    uint8_t *octet_r)
 {
-	uint8_t octet = 0;
+	unsigned int octet = 0;
 	int count = 0;
 
 	/* RFC 3986:
@@ -271,10 +271,8 @@
 	 */
 
 	while (parser->cur < parser->end && i_isdigit(*parser->cur)) {
-		uint8_t prev = octet;
-
 		octet = octet * 10 + (parser->cur[0] - '0');
-		if (octet < prev)
+		if (octet > 255)
 			return -1;
 
 		if (literal != NULL)