On 5.11.2013, at 16.02, Tomasz Potega <tpot...@wp-sa.pl> wrote: > dovecot's message parser enters an endless loop when fed with certain > multipart messages with stray CR characters. > > parse_next_body_to_boundary() assumes the '\r' might be the beginning > of a boundary line, reducing the block size by one:
Thanks, fixed: http://hg.dovecot.org/dovecot-2.2/rev/aa1aede0f7f2 > I have added a check to see if the parser is past the EOF (and omit > reducing the block size then) as a band-aid fix, but this might call > for a more elegant solution. I think I did the same fix. Also I don’t think it’s possible to normally use this as a DoS attack against users, because with mail_save_crlf=no (default) the CRs are stripped. And with mail_save_crlf=yes I’m not sure if such message can even pass through SMTP servers.
