copy the blob value via strndup() instead of strdup() to ensure longmsg is NUL-terminated ENGINE-168
authorRoker <roker@pep-project.org>
Mon, 30 Jan 2017 16:18:26 +0100
branchENGINE-168
changeset 15631c7679549bfb
parent 1562 0b114207f6f8
child 1564 25d24eb99711
child 1565 a087ba3d0807
copy the blob value via strndup() instead of strdup() to ensure longmsg is NUL-terminated
src/message_api.c
     1.1 --- a/src/message_api.c	Mon Jan 30 16:06:21 2017 +0100
     1.2 +++ b/src/message_api.c	Mon Jan 30 16:18:26 2017 +0100
     1.3 @@ -1593,31 +1593,30 @@
     1.4              char* slong = src->longmsg;
     1.5              char* sform = src->longmsg_formatted;
     1.6              bloblist_t* satt = src->attachments;
     1.7 -                                    
     1.8 +            
     1.9              if ((!slong || slong[0] == '\0')
    1.10                   && (!sform || sform[0] == '\0')) {
    1.11                  if (satt) {
    1.12                      const char* inner_mime_type = satt->mime_type;
    1.13                      if (strcasecmp(inner_mime_type, "text/plain") == 0) {
    1.14                          free(slong); /* in case of "" */
    1.15 -                        src->longmsg = strdup(satt->value);
    1.16 -                    
    1.17 +                        src->longmsg = strndup(satt->value, satt->size); // N.B.: longmsg might be shorter, if attachment contains NUL bytes which are not allowed in text/plain!
    1.18 +                        
    1.19                          bloblist_t* next_node = satt->next;
    1.20                          if (next_node) {
    1.21                              inner_mime_type = next_node->mime_type;
    1.22                              if (strcasecmp(inner_mime_type, "text/html") == 0) {
    1.23                                  free(sform);
    1.24 -                                src->longmsg_formatted = strdup(next_node->value);
    1.25 +                                src->longmsg_formatted = strndup(next_node->value, next_node->size);  // N.B.: longmsg might be shorter, if attachment contains NUL bytes which are not allowed in text/plain!
    1.26                              }
    1.27                          }
    1.28                      }
    1.29                      else if (strcasecmp(inner_mime_type, "text/html") == 0) {
    1.30                          free(sform);
    1.31 -                        src->longmsg_formatted = strdup(satt->value);
    1.32 -                    }                    
    1.33 +                        src->longmsg_formatted = strndup(satt->value, satt->size);  // N.B.: longmsg might be shorter, if attachment contains NUL bytes which are not allowed in text/plain!
    1.34 +                    }
    1.35                  }
    1.36 -            }       
    1.37 -
    1.38 +            }
    1.39              
    1.40              return PEP_UNENCRYPTED;
    1.41  
    1.42 @@ -1664,39 +1663,39 @@
    1.43              case PEP_enc_PGP_MIME_Outlook1:
    1.44                  status = mime_decode_message(ptext, psize, &msg);
    1.45                  if (status != PEP_STATUS_OK)
    1.46 -                    goto pep_error;                
    1.47 +                    goto pep_error;
    1.48                  
    1.49                  char* mlong = msg->longmsg;
    1.50                  char* mform = msg->longmsg_formatted;
    1.51                  bloblist_t* matt = msg->attachments;
    1.52 -                                        
    1.53 +                
    1.54                  if ((!mlong || mlong[0] == '\0')
    1.55                       && (!mform || mform[0] == '\0')) {
    1.56                      if (matt) {
    1.57                          const char* inner_mime_type = matt->mime_type;
    1.58                          if (strcasecmp(inner_mime_type, "text/plain") == 0) {
    1.59                              free(mlong); /* in case of "" */
    1.60 -                            msg->longmsg = strdup(matt->value);
    1.61 -                        
    1.62 +                            msg->longmsg = strndup(matt->value, matt->size);
    1.63 +                            
    1.64                              bloblist_t* next_node = matt->next;
    1.65                              if (next_node) {
    1.66                                  inner_mime_type = next_node->mime_type;
    1.67                                  if (strcasecmp(inner_mime_type, "text/html") == 0) {
    1.68                                      free(mform);
    1.69 -                                    msg->longmsg_formatted = strdup(next_node->value);
    1.70 +                                    msg->longmsg_formatted = strndup(next_node->value, next_node->size);
    1.71                                  }
    1.72                              }
    1.73                          }
    1.74                          else if (strcasecmp(inner_mime_type, "text/html") == 0) {
    1.75                              free(mform);
    1.76 -                            msg->longmsg_formatted = strdup(matt->value);
    1.77 -                        }                    
    1.78 +                            msg->longmsg_formatted = strndup(matt->value, matt->size);
    1.79 +                        }
    1.80                      }
    1.81                      if (msg->shortmsg) {
    1.82                          free(src->shortmsg);
    1.83                          src->shortmsg = strdup(msg->shortmsg);
    1.84                      }
    1.85 -                }    
    1.86 +                }
    1.87  
    1.88                  if (decrypt_status != PEP_DECRYPTED_AND_VERIFIED) {
    1.89                      status = _get_detached_signature(msg, &detached_sig);