1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
|
From 1002a0121a8f5a9aee25357769807f2c519fa50b Mon Sep 17 00:00:00 2001
From: Damian Poddebniak <duesee@users.noreply.github.com>
Date: Fri, 24 Jul 2020 19:39:53 +0200
Subject: [PATCH] Detect extra data after STARTTLS response and exit (#387)
---
src/low-level/imap/mailimap.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/src/low-level/imap/mailimap.c b/src/low-level/imap/mailimap.c
index bb17119d..4ffcf55d 100644
--- a/src/low-level/imap/mailimap.c
+++ b/src/low-level/imap/mailimap.c
@@ -2428,6 +2428,13 @@ int mailimap_starttls(mailimap * session)
mailimap_response_free(response);
+ // Detect if the server send extra data after the STARTTLS response.
+ // This *may* be a "response injection attack".
+ if (session->imap_stream->read_buffer_len != 0) {
+ // Since it is also an IMAP protocol violation, exit.
+ return MAILIMAP_ERROR_STARTTLS;
+ }
+
switch (error_code) {
case MAILIMAP_RESP_COND_STATE_OK:
return MAILIMAP_NO_ERROR;
From 298460a2adaabd2f28f417a0f106cb3b68d27df9 Mon Sep 17 00:00:00 2001
From: Fabian Ising <Murgeye@users.noreply.github.com>
Date: Fri, 24 Jul 2020 19:40:48 +0200
Subject: [PATCH] Detect extra data after STARTTLS responses in SMTP and POP3
and exit (#388)
* Detect extra data after STLS response and return error
* Detect extra data after SMTP STARTTLS response and return error
---
src/low-level/pop3/mailpop3.c | 8 ++++++++
src/low-level/smtp/mailsmtp.c | 8 ++++++++
2 files changed, 16 insertions(+)
diff --git a/src/low-level/pop3/mailpop3.c b/src/low-level/pop3/mailpop3.c
index ab9535be..e2124bf8 100644
--- a/src/low-level/pop3/mailpop3.c
+++ b/src/low-level/pop3/mailpop3.c
@@ -959,6 +959,14 @@ int mailpop3_stls(mailpop3 * f)
if (r != RESPONSE_OK)
return MAILPOP3_ERROR_STLS_NOT_SUPPORTED;
+
+ // Detect if the server send extra data after the STLS response.
+ // This *may* be a "response injection attack".
+ if (f->pop3_stream->read_buffer_len != 0) {
+ // Since it is also protocol violation, exit.
+ // There is no error type for STARTTLS errors in POP3
+ return MAILPOP3_ERROR_SSL;
+ }
return MAILPOP3_NO_ERROR;
}
diff --git a/src/low-level/smtp/mailsmtp.c b/src/low-level/smtp/mailsmtp.c
index b7fc459e..3145cadf 100644
--- a/src/low-level/smtp/mailsmtp.c
+++ b/src/low-level/smtp/mailsmtp.c
@@ -1111,6 +1111,14 @@ int mailesmtp_starttls(mailsmtp * session)
return MAILSMTP_ERROR_STREAM;
r = read_response(session);
+ // Detect if the server send extra data after the STARTTLS response.
+ // This *may* be a "response injection attack".
+ if (session->stream->read_buffer_len != 0) {
+ // Since it is also protocol violation, exit.
+ // There is no general error type for STARTTLS errors in SMTP
+ return MAILSMTP_ERROR_SSL;
+ }
+
switch (r) {
case 220:
return MAILSMTP_NO_ERROR;
|
