[Users] [Bug 4313] New: Recursion stack overflow (two variations) with rebuilding folder tree

Sat Feb 15 12:42:48 CET 2020

https://www.thewildbeast.co.uk/claws-mail/bugzilla/show_bug.cgi?id=4313

            Bug ID: 4313
           Summary: Recursion stack overflow (two variations) with
                    rebuilding folder tree
           Product: Claws Mail
           Version: 3.17.4
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P3
         Component: Folders/IMAP
          Assignee: users at lists.claws-mail.org
          Reporter: hanno at hboeck.de

Created attachment 2046
  -->
https://www.thewildbeast.co.uk/claws-mail/bugzilla/attachment.cgi?id=2046&action=edit
python poc for first variant

A malicious or faulty IMAP server can crash claws-mail when it lets the server
traverse into indefinitely many subdirectories during rebuild folder tree.

The source of this is relatively obvious: imap_scan_tree_recursive() will call
itself recursively without any limit set, which eventually will crash. I
recomend to set a reasonable limit of recursion depth (not sure how crazy
people plausibly go with imap structures, but I guess a limit at 500 should
handle all possibly legit needs).

However while trying to create a reproducer for this I noticed that when
terminating the connection after some iterations (I tried with 1000) it will be
unresponsive for a while and also cause a stack overflow, however a different
one. It will crash somewhere in glib. I haven't analyzed that in more detail,
but it seems the rebuild folder tree functionality doesn't detect the
connection termination.

I'm attaching test scripts, these are written in python and open an imap server
on localhost. Configure an imap account to localhost without tls and do
rightclick->"Rebuild folder tree" to reproduce. I'm also attaching ASAN stack
traces for both bugs.

-- 
You are receiving this mail because:
You are the assignee for the bug.