From 1002a0121a8f5a9aee25357769807f2c519fa50b Mon Sep 17 00:00:00 2001 From: Damian Poddebniak Date: Fri, 24 Jul 2020 19:39:53 +0200 Subject: [PATCH] Detect extra data after STARTTLS response and exit (#387) --- src/low-level/imap/mailimap.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/src/low-level/imap/mailimap.c b/src/low-level/imap/mailimap.c index bb17119d..4ffcf55d 100644 --- a/src/low-level/imap/mailimap.c +++ b/src/low-level/imap/mailimap.c @@ -2428,6 +2428,13 @@ int mailimap_starttls(mailimap * session) mailimap_response_free(response); + // Detect if the server send extra data after the STARTTLS response. + // This *may* be a "response injection attack". + if (session->imap_stream->read_buffer_len != 0) { + // Since it is also an IMAP protocol violation, exit. + return MAILIMAP_ERROR_STARTTLS; + } + switch (error_code) { case MAILIMAP_RESP_COND_STATE_OK: return MAILIMAP_NO_ERROR; From 298460a2adaabd2f28f417a0f106cb3b68d27df9 Mon Sep 17 00:00:00 2001 From: Fabian Ising Date: Fri, 24 Jul 2020 19:40:48 +0200 Subject: [PATCH] Detect extra data after STARTTLS responses in SMTP and POP3 and exit (#388) * Detect extra data after STLS response and return error * Detect extra data after SMTP STARTTLS response and return error --- src/low-level/pop3/mailpop3.c | 8 ++++++++ src/low-level/smtp/mailsmtp.c | 8 ++++++++ 2 files changed, 16 insertions(+) diff --git a/src/low-level/pop3/mailpop3.c b/src/low-level/pop3/mailpop3.c index ab9535be..e2124bf8 100644 --- a/src/low-level/pop3/mailpop3.c +++ b/src/low-level/pop3/mailpop3.c @@ -959,6 +959,14 @@ int mailpop3_stls(mailpop3 * f) if (r != RESPONSE_OK) return MAILPOP3_ERROR_STLS_NOT_SUPPORTED; + + // Detect if the server send extra data after the STLS response. + // This *may* be a "response injection attack". + if (f->pop3_stream->read_buffer_len != 0) { + // Since it is also protocol violation, exit. + // There is no error type for STARTTLS errors in POP3 + return MAILPOP3_ERROR_SSL; + } return MAILPOP3_NO_ERROR; } diff --git a/src/low-level/smtp/mailsmtp.c b/src/low-level/smtp/mailsmtp.c index b7fc459e..3145cadf 100644 --- a/src/low-level/smtp/mailsmtp.c +++ b/src/low-level/smtp/mailsmtp.c @@ -1111,6 +1111,14 @@ int mailesmtp_starttls(mailsmtp * session) return MAILSMTP_ERROR_STREAM; r = read_response(session); + // Detect if the server send extra data after the STARTTLS response. + // This *may* be a "response injection attack". + if (session->stream->read_buffer_len != 0) { + // Since it is also protocol violation, exit. + // There is no general error type for STARTTLS errors in SMTP + return MAILSMTP_ERROR_SSL; + } + switch (r) { case 220: return MAILSMTP_NO_ERROR;