From b125c5066a96955b35e8d5419f5820c0459f28aa Mon Sep 17 00:00:00 2001
From: "Eric S. Raymond" <esr@thyrsus.com>
Date: Fri, 24 May 2002 07:24:56 +0000
Subject: Red Hat's DOS-prevention patch.

svn path=/trunk/; revision=3616
---
 imap.c | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/imap.c b/imap.c
index cf8d001f..856b1f27 100644
--- a/imap.c
+++ b/imap.c
@@ -11,6 +11,7 @@
 #include  <ctype.h>
 #if defined(STDC_HEADERS)
 #include  <stdlib.h>
+#include  <limits.h>
 #endif
 #include  "fetchmail.h"
 #include  "socket.h"
@@ -59,6 +60,19 @@ static int imap_ok(int sock, char *argbuf)
 	else if (strstr(buf, "EXISTS"))
 	{
 	    count = atoi(buf+2);
+	    /*
+	     * Don't trust the message count passed by the server.
+	     * Without this check, it might be possible to do a
+	     * DNS-spoofing attack that would pass back a ridiculous 
+	     * count, and allocate a malloc area that would overlap
+	     * a portion of the stack.
+	     */
+	    if (count > INT_MAX/sizeof(int))
+	    {
+		report(stderr, "bogus message count!");
+		return(PS_PROTOCOL);
+	    }
+
 	    /*
 	     * Nasty kluge to handle RFC2177 IDLE.  If we know we're idling
 	     * we can't wait for the tag matching the IDLE; we have to tell the
-- 
cgit v1.2.3