imapserver: prevent unbounded memory allocations when handling a command

some commands, like search, can specify any number of literals, of arbitrary size. we already limited individual literals to 100kb. but you could specify many of them, causing unbounded memory consumption. this change adds a limit of 1000 literals in a command, and a limit of 1mb of total combined memory for literals. once the limits are exceeded, a TOOBIG error code is returned. unbounded memory use could only be triggered on authenticated connections. this addresses the same issue as CVE-2024-34055 for cyrus-imap, by damian poddebniak.
2025-07-10 10:34:40 +03:00 · 2024-06-10 14:49:10 +02:00
parent 614576e409
commit aef99a72d8
4 changed files with 105 additions and 23 deletions
--- a/imapserver/server.go
+++ b/imapserver/server.go
@ -2729,7 +2729,7 @@ func (c *conn) cmdAppend(tag, cmd string, p *parser) {
 	// todo: this is only relevant if we also support the CATENATE extension?
 	// ../rfc/6855:204
 	utf8 := p.take("UTF8 (")
-	size, sync := p.xliteralSize(0, utf8)
+	size, sync := p.xliteralSize(utf8, false)

 	name = xcheckmailboxname(name, true)
 	c.xdbread(func(tx *bstore.Tx) {