<<< Date Index >>>     <<< Thread Index >>>

[Mutt] #2980: url.c:url_parse_mailto: writes past buffer end



#2980: url.c:url_parse_mailto: writes past buffer end

 {{{
 ----- Forwarded message from Lionel Elie Mamane <lionel@xxxxxxxxx> -----

 Date: Sat, 26 May 2007 22:48:06 +0200
 From: Lionel Elie Mamane <lionel@xxxxxxxxx>
 Subject: Bug#426158: mutt: writes past buffer end

 Mutt, in its parsing of "mailto:"; URLs, in some situations writes
 after the end of a fixed-size buffer. I'm not sure it is exploitable,
 because the data being written is not attacker-controlled (only a null
 character), but I'd rather someone more expert than me at security
 took a look at it.

 It happens in file url.c, function url_parse_mailto, in the else block
 of the very last "if" of the file:

     if (!ascii_strcasecmp (tag, "body"))
     {
       if (body)
         mutt_str_replace (body, value);
     }
     else
     {
       taglen = strlen (tag);
       /* mutt_parse_rfc822_line makes some assumptions */
       snprintf (scratch, sizeof (scratch), "%s: %s", tag, value);
       scratch[taglen] = '\0';
       value = &scratch[taglen+1];
       SKIPWS (value);
       mutt_parse_rfc822_line (e, NULL, scratch, value, 1, 0, 0, &last);
     }

 scratch is declared like that:

   char scratch[HUGE_STRING];

 where (in lib.h):

  # define HUGE_STRING      5120

 The line

   scratch[taglen] = '\0';

 will write past the end of "scratch". To trigger that, pass as
 argument to mutt:

 
mailto:user@xxxxxxxxxxx?Here_a_string_in_URL_percent_encoded_format_that_is_longer_than_5120_characters=foo

 I propose to add:

   if (taglen > sizeof (scratch))
       taglen = sizeof (scratch) - 2

 as a safety.
 }}}

-- 
Ticket URL: <http://dev.mutt.org/trac/ticket/2980>