dovecot/SOURCES/dovecot-2.3.13-CVE_2020_25275-part3.patch

From 0386140f61f9ba62225e90b419215f72bba6ad8b Mon Sep 17 00:00:00 2001
From: Timo Sirainen <timo.sirainen@open-xchange.com>
Date: Mon, 17 Aug 2020 18:11:36 +0300
Subject: [PATCH] imap: Use imap_parser_read_tag() and _read_command_name()

---
 src/imap/imap-client.c | 33 ++++++++++++++++++++++-----------
 1 file changed, 22 insertions(+), 11 deletions(-)

diff --git a/src/imap/imap-client.c b/src/imap/imap-client.c
index 0bf03caa97..95e57dbf53 100644
--- a/src/imap/imap-client.c
+++ b/src/imap/imap-client.c
@@ -1182,6 +1182,9 @@ client_command_failed_early(struct client_command_context **_cmd,
 {
 	struct client_command_context *cmd = *_cmd;
 
+	/* ignore the rest of this line */
+	cmd->client->input_skip_line = TRUE;
+
 	io_loop_time_refresh();
 	command_stats_start(cmd);
 	client_send_command_error(cmd, error);
@@ -1193,6 +1196,8 @@ static bool client_command_input(struct client_command_context *cmd)
 {
 	struct client *client = cmd->client;
 	struct command *command;
+	const char *tag, *name;
+	int ret;
 
         if (cmd->func != NULL) {
 		/* command is being executed - continue it */
@@ -1207,27 +1212,33 @@ static bool client_command_input(struct client_command_context *cmd)
 	}
 
 	if (cmd->tag == NULL) {
-                cmd->tag = imap_parser_read_word(cmd->parser);
-		if (cmd->tag == NULL)
+		ret = imap_parser_read_tag(cmd->parser, &tag);
+		if (ret == 0)
 			return FALSE; /* need more data */
-		cmd->tag = p_strdup(cmd->pool, cmd->tag);
+		if (ret < 0) {
+			client_command_failed_early(&cmd, "Invalid tag.");
+			return TRUE;
+		}
+		cmd->tag = p_strdup(cmd->pool, tag);
 	}
 
 	if (cmd->name == NULL) {
-		cmd->name = imap_parser_read_word(cmd->parser);
-		if (cmd->name == NULL)
+		ret = imap_parser_read_command_name(cmd->parser, &name);
+		if (ret == 0)
 			return FALSE; /* need more data */
+		if (ret < 0) {
+			client_command_failed_early(&cmd, "Invalid command name.");
+			return TRUE;
+		}
 
 		/* UID commands are a special case. better to handle them
 		   here. */
-		if (!cmd->uid && strcasecmp(cmd->name, "UID") == 0) {
+		if (!cmd->uid && strcasecmp(name, "UID") == 0) {
 			cmd->uid = TRUE;
-			cmd->name = imap_parser_read_word(cmd->parser);
-			if (cmd->name == NULL)
-				return FALSE; /* need more data */
+			return client_command_input(cmd);
 		}
-		cmd->name = !cmd->uid ? p_strdup(cmd->pool, cmd->name) :
-			p_strconcat(cmd->pool, "UID ", cmd->name, NULL);
+		cmd->name = !cmd->uid ? p_strdup(cmd->pool, name) :
+			p_strconcat(cmd->pool, "UID ", name, NULL);
 		client_command_init_finished(cmd);
 		imap_refresh_proctitle();
 	}