From 8ceb0cf0191f8b374a7f05974b29c6242ce8f752 Mon Sep 17 00:00:00 2001 From: Damian Poddebniak Date: Thu, 23 Jul 2020 19:24:45 +0200 Subject: [PATCH] Detect extra data after STARTTLS response and exit --- src/low-level/imap/mailimap.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/src/low-level/imap/mailimap.c b/src/low-level/imap/mailimap.c index bb17119d..4ffcf55d 100644 --- a/src/low-level/imap/mailimap.c +++ b/src/low-level/imap/mailimap.c @@ -2428,6 +2428,13 @@ int mailimap_starttls(mailimap * session) mailimap_response_free(response); + // Detect if the server send extra data after the STARTTLS response. + // This *may* be a "response injection attack". + if (session->imap_stream->read_buffer_len != 0) { + // Since it is also an IMAP protocol violation, exit. + return MAILIMAP_ERROR_STARTTLS; + } + switch (error_code) { case MAILIMAP_RESP_COND_STATE_OK: return MAILIMAP_NO_ERROR;