Red Hat's DOS-prevention patch.

svn path=/trunk/; revision=3616

1 files changed, 14 insertions, 0 deletions

diff --git a/imap.c b/imap.c
index cf8d001f..856b1f27 100644
--- a/imap.c
+++ b/imap.c
@@ -11,6 +11,7 @@
 #include  <ctype.h>
 #if defined(STDC_HEADERS)
 #include  <stdlib.h>
+#include  <limits.h>
 #endif
 #include  "fetchmail.h"
 #include  "socket.h"
@@ -60,6 +61,19 @@ static int imap_ok(int sock, char *argbuf)
 	{
 	    count = atoi(buf+2);
 	    /*
+	     * Don't trust the message count passed by the server.
+	     * Without this check, it might be possible to do a
+	     * DNS-spoofing attack that would pass back a ridiculous 
+	     * count, and allocate a malloc area that would overlap
+	     * a portion of the stack.
+	     */
+	    if (count > INT_MAX/sizeof(int))
+	    {
+		report(stderr, "bogus message count!");
+		return(PS_PROTOCOL);
+	    }
+
+	    /*
 	     * Nasty kluge to handle RFC2177 IDLE.  If we know we're idling
 	     * we can't wait for the tag matching the IDLE; we have to tell the
 	     * server the IDLE is finished by shipping back a DONE when we