ID: 42862 Comment by: pubear at u dot washington dot edu Reported By: Maylein at ub dot uni-heidelberg dot de Status: Assigned Bug Type: IMAP related Operating System: Linux 2.6.22 PHP Version: 5.2.4 Assigned To: iliaa New Comment:
I am using imap c-client 2007a with php-5.2.5. I am working with an extensively modified version of: http://migrationtool.sourceforge.net I ran into this issue migrating people's mailboxes in Exchange Server. I wanted to confirm that the patch submitted by sborrill at precedence dot co dot uk appears to have fixed the buffer overflow bug. Thank you very much. Previous Comments: ------------------------------------------------------------------------ [2008-03-04 16:57:55] sborrill at precedence dot co dot uk php_imap.c uses rfc822_write_address() which, with imap-uw sources since 2005, limits the complete returned address list to 16383 bytes in length irrespective of the size of the buffer you pass into it (you don't pass the length, so it can't know the actual size). This means that if you have a large address lists in your To: or Cc: headers, that would expand to more than 16383 characters, PHP will core-dump with SIGABRT. This affects PHP HEAD too. rfc822_write_address is deprecated: * WARNING: These routines are for compatibility with old software only. * * Their use in new software is to be avoided. * * These interfaces do not provide satisfactory buffer checking. In * versions of c-client prior to imap-2005, they did not provide any * buffer checking at all. The fix is to use rfc822_output_address_list(). Patch below (against 5.2.5): --- php_imap.c.orig 2007-07-31 01:31:10.000000000 +0100 +++ php_imap.c 2008-03-04 17:48:30.000000000 +0000 @@ -70,6 +70,7 @@ static void _php_imap_add_body(zval *arg, BODY *body TSRMLS_DC); static void _php_imap_parse_address(ADDRESS *addresslist, char **fulladdress, zval *paddress TSRMLS_DC); static int _php_imap_address_size(ADDRESS *addresslist); +static void _php_rfc822_write_address_len (char *dest, ADDRESS *adr, int len); /* the gets we use */ static char *php_mail_gets(readfn_t f, void *stream, unsigned long size, GETS_DATA *md); @@ -2137,7 +2138,7 @@ } string[0]='\0'; - rfc822_write_address(string, addr); + _php_rfc822_write_address_len(string, addr, sizeof(string)); RETVAL_STRING(string, 1); } /* }}} */ @@ -2906,13 +2907,13 @@ if (env->from && _php_imap_address_size(env->from) < MAILTMPLEN) { env->from->next=NULL; address[0] = '\0'; - rfc822_write_address(address, env->from); + _php_rfc822_write_address_len(address, env->from, sizeof(address)); add_property_string(myoverview, "from", address, 1); } if (env->to && _php_imap_address_size(env->to) < MAILTMPLEN) { env->to->next = NULL; address[0] = '\0'; - rfc822_write_address(address, env->to); + _php_rfc822_write_address_len(address, env->to, sizeof(address)); add_property_string(myoverview, "to", address, 1); } if (env->date) { @@ -3883,6 +3884,34 @@ /* }}} */ +/* {{{ _php_rfc822_soutr + */ +static long _php_rfc822_soutr (void *stream,char *string) +{ + return NIL; +} + +/* }}} */ + + +/* {{{ _php_rfc822_write_address_len + */ +static void _php_rfc822_write_address_len ( char *dest, ADDRESS *adr, int len) +{ + RFC822BUFFER buf; + + buf.beg = dest; + buf.cur = buf.beg; + buf.end = buf.beg + len - 1; + buf.s = NIL; + buf.f = _php_rfc822_soutr; + rfc822_output_address_list (&buf, adr, 0, NIL); + *buf.cur = '\0'; +} + +/* }}} */ + + /* {{{ _php_imap_parse_address */ static void _php_imap_parse_address (ADDRESS *addresslist, char **fulladdress, zval *paddress TSRMLS_DC) @@ -3897,7 +3926,7 @@ if ((len = _php_imap_address_size(addresstmp))) { tmpstr = (char *) pemalloc(len + 1, 1); tmpstr[0] = '\0'; - rfc822_write_address(tmpstr, addresstmp); + _php_rfc822_write_address_len(tmpstr, addresstmp, len); *fulladdress = tmpstr; } else { *fulladdress = NULL; ------------------------------------------------------------------------ [2007-10-30 17:15:29] [EMAIL PROTECTED] Reclassified. (This is the correct place for this, it's imap related) ------------------------------------------------------------------------ [2007-10-22 11:44:14] Maylein at ub dot uni-heidelberg dot de No one seems to care about a bug report in the category 'imap related', so I put it now in the category 'reproducible crash'. ------------------------------------------------------------------------ [2007-10-11 08:49:53] Maylein at ub dot uni-heidelberg dot de Please tell me, if there will be a patch for the imap-extension. It's an security issue, isn't it? If you don't plan to patch the imap extension (as I understand from the answer on Bug #40925) then you subsequently need to remove this extension. ------------------------------------------------------------------------ [2007-10-11 08:20:14] Maylein at ub dot uni-heidelberg dot de See also http://archives.devshed.com/forums/networking-100/new-message-writing-routines-in-imap-2005t-1639473.html ------------------------------------------------------------------------ The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at http://bugs.php.net/42862 -- Edit this bug report at http://bugs.php.net/?id=42862&edit=1
