Tiny patch
David Carter
dpc22 at cam.ac.uk
Thu Jul 2 13:00:11 EDT 2009
mailbox_cache_size() has a bounds test which is incorrect: see attached.
Solaris/x86 appears to mmap() things right at the top of memory, which
means that cacheitembegin + mailbox->cache_size can overflow. Linux/x86
mmap()s things somewhere in the middle of the memory map, so the problem
isn't visible there.
make_md5, make_sha1 and sync_server are the only things which appear to
call mailbox_cache_size(), so not a huge deal.
--
David Carter Email: David.Carter at ucs.cam.ac.uk
University Computing Service, Phone: (01223) 334502
New Museums Site, Pembroke Street, Fax: (01223) 334679
Cambridge UK. CB2 3QH.
Index: imap/mailbox.c
===================================================================
RCS file: /cvs/src/cyrus/imap/mailbox.c,v
retrieving revision 1.193
diff -u -d -r1.193 mailbox.c
--- imap/mailbox.c 5 May 2009 01:20:02 -0000 1.193
+++ imap/mailbox.c 2 Jul 2009 16:41:23 -0000
@@ -320,8 +320,8 @@
return 0;
for (cache_ent = 0; cache_ent < NUM_CACHE_FIELDS; cache_ent++) {
cacheitem = CACHE_ITEM_NEXT(cacheitem);
- if (cacheitem < cacheitembegin ||
- cacheitem > cacheitembegin + mailbox->cache_size) {
+ if ((cacheitem < cacheitembegin) ||
+ (cacheitem > mailbox->cache_base + mailbox->cache_size)) {
return 0; /* clearly bogus */
}
}
More information about the Cyrus-devel
mailing list