head 1.2; access; symbols pkgsrc-2013Q2:1.2.0.8 pkgsrc-2013Q2-base:1.2 pkgsrc-2012Q4:1.2.0.6 pkgsrc-2012Q4-base:1.2 pkgsrc-2011Q4:1.2.0.4 pkgsrc-2011Q4-base:1.2 pkgsrc-2011Q2:1.2.0.2 pkgsrc-2011Q2-base:1.2 pkgsrc-2010Q1:1.1.0.18 pkgsrc-2010Q1-base:1.1 pkgsrc-2009Q4:1.1.0.16 pkgsrc-2009Q4-base:1.1 pkgsrc-2009Q3:1.1.0.14 pkgsrc-2009Q3-base:1.1 pkgsrc-2009Q2:1.1.0.12 pkgsrc-2009Q2-base:1.1 pkgsrc-2009Q1:1.1.0.10 pkgsrc-2009Q1-base:1.1 pkgsrc-2008Q4:1.1.0.8 pkgsrc-2008Q4-base:1.1 pkgsrc-2008Q3:1.1.0.6 pkgsrc-2008Q3-base:1.1 cube-native-xorg:1.1.0.4 cube-native-xorg-base:1.1 pkgsrc-2008Q2:1.1.0.2 pkgsrc-2008Q2-base:1.1; locks; strict; comment @# @; 1.2 date 2010.06.02.12.50.03; author adam; state dead; branches; next 1.1; 1.1 date 2008.07.13.16.26.17; author tonnerre; state Exp; branches; next ; desc @@ 1.2 log @Changes 1.18: See http://hg.vergenet.net/perdition/perdition/ @ text @$NetBSD: patch-ah,v 1.1 2008/07/13 16:26:17 tonnerre Exp $ --- perdition/imap4_in.c.orig 2005-06-22 07:50:05.000000000 +0200 +++ perdition/imap4_in.c @@@@ -277,6 +277,76 @@@@ int imap4_in_authenticate( #endif /* WITH_PAM_SUPPORT */ +/********************************************************************** + * imap4_in_verify_tag_str + * Verify that a tag is valid + * Pre: tag: io_t to write to + * Return 0 on success + * -1 otherwise + **********************************************************************/ + +/* Excerpts from rfc3501, Section 9. Formal Syntax + * + * The ASCII NUL character, %x00, MUST NOT be used at any time. + * + * tag = 1* + * + * ATOM-CHAR = + * + * atom-specials = "(" / ")" / "{" / SP / CTL / list-wildcards / + * quoted-specials / resp-specials + * + * list-wildcards = "%" / "*" + * + * quoted-specials = DQUOTE / "\" + * + * resp-specials = "]" + * + * Excerpts from rfc2060, Section 9. Formal Syntax + * + * CHAR ::= + * + * CTL ::= + */ + +static int imap4_in_verify_tag_str(const token_t *tag) +{ + unsigned char *tag_str; + size_t tag_str_len, i; + + tag_str_len = token_len(tag); + + if (!tag_str_len) + return -1; + + tag_str = token_buf(tag); + + for (i = 0; i < tag_str_len; i++) { + /* Must be ASCII, must not be a control character */ + if (tag_str[i] <= 0x1f || tag_str[i] >= 0x7f) + return -1; + /* Must not be other reserved characters */ + switch(tag_str[i]) { + case '\0': + case '(': + case ')': + case '{': + case ' ': + case '%': + case '*': + case '"': + case '\\': + case ']': + return -1; + } + } + + return 0; +} + + /********************************************************************** * imap4_in_get_pw @@@@ -337,19 +407,20 @@@@ int imap4_in_get_pw(io_t *io, struct pas break; } + if (imap4_in_verify_tag_str(tag)) { + token_assign(tag, (unsigned char *)strdup(IMAP4_UNTAGGED), + strlen(IMAP4_UNTAGGED), 0); + __IMAP4_IN_BAD("Invalid tag, mate"); + goto loop; + } + if((q=vanessa_queue_pop(q, (void **)&tag))==NULL){ VANESSA_LOGGER_DEBUG("vanessa_queue_pop 1"); break; } if(token_is_eol(tag)){ - if(token_is_null(tag)){ - token_assign(tag, strdup(IMAP4_BAD), strlen(IMAP4_BAD), 0); - __IMAP4_IN_BAD("Null tag, mate"); - } - else { - __IMAP4_IN_BAD("Missing command, mate"); - } + __IMAP4_IN_BAD("Missing command, mate"); goto loop; } @ 1.1 log @Add patch for IMAP tag arbitrary code execution in the perdition IMAP server (CVE-2007-5740). @ text @d1 1 a1 1 $NetBSD$ @