nginx.git/src/mail/ngx_mail_parse.c, branch release-1.30.0 nginx Mail: fixed type overflow in IMAP literal length parser. 2026-03-04T08:08:09+00:00 Sergey Kandaurov pluknet@nginx.com 2026-02-27T17:46:04+00:00 dff46cd1ae0095922e7eb9cf5b32ebe1e68a5706 The overflow is safe, because the maximum length of literals is limited with the "imap_client_buffer" directive. Reported by Bartłomiej Dmitruk. 
The overflow is safe, because the maximum length of literals
is limited with the "imap_client_buffer" directive.

Reported by Bartłomiej Dmitruk.
Mail: stricter IMAP literals validation. 2026-03-04T08:08:09+00:00 Sergey Kandaurov pluknet@nginx.com 2026-02-27T17:18:16+00:00 aa65a60fc7bcef4152152cf5a4e87f04cad54368 As clarified in RFC 3501, Section 7.5, literals are followed either by SP, for additional command arguments, or CRLF. 
As clarified in RFC 3501, Section 7.5, literals are followed
either by SP, for additional command arguments, or CRLF.
Mail: IMAP pipelining support. 2021-05-19T00:13:28+00:00 Maxim Dounin mdounin@mdounin.ru 2021-05-19T00:13:28+00:00 5015209054f68141cd4f5f61e874d4497d4ef49c The change is mostly the same as the SMTP one (04e43d03e153 and 3f5d0af4e40a), and ensures that nginx is able to properly handle or reject multiple IMAP commands. The s->cmd field is not really used and set for consistency. Non-synchronizing literals handling in invalid/unknown commands is limited, so when a non-synchronizing literal is detected at the end of a discarded line, the connection is closed. 
The change is mostly the same as the SMTP one (04e43d03e153 and 3f5d0af4e40a),
and ensures that nginx is able to properly handle or reject multiple IMAP
commands.  The s->cmd field is not really used and set for consistency.

Non-synchronizing literals handling in invalid/unknown commands is limited,
so when a non-synchronizing literal is detected at the end of a discarded
line, the connection is closed.
Mail: stricter checking of IMAP tags. 2021-05-19T00:13:26+00:00 Maxim Dounin mdounin@mdounin.ru 2021-05-19T00:13:26+00:00 4617dd64b863df111e33b1b395709f4c2f427350 Only "A-Za-z0-9-._" characters now allowed (which is stricter than what RFC 3501 requires, but expected to be enough for all known clients), and tags shouldn't be longer than 32 characters. 
Only "A-Za-z0-9-._" characters now allowed (which is stricter than what
RFC 3501 requires, but expected to be enough for all known clients),
and tags shouldn't be longer than 32 characters.
Mail: fixed backslash handling in IMAP literals. 2021-05-19T00:13:23+00:00 Maxim Dounin mdounin@mdounin.ru 2021-05-19T00:13:23+00:00 82840d165144584d1b288521266051a6b5a462eb Previously, s->backslash was set if any of the arguments was a quoted string with a backslash character. After successful command parsing this resulted in all arguments being filtered to remove backslashes. This is, however, incorrect, as backslashes should not be removed from IMAP literals. For example: S: * OK IMAP4 ready C: a01 login {9} S: + OK C: user\name "pass\"word" S: * BAD internal server error resulted in "Auth-User: username" instead of "Auth-User: user\name" as it should. Fix is to apply backslash filtering on per-argument basis during parsing. 
Previously, s->backslash was set if any of the arguments was a quoted
string with a backslash character.  After successful command parsing
this resulted in all arguments being filtered to remove backslashes.
This is, however, incorrect, as backslashes should not be removed from
IMAP literals.  For example:

   S: * OK IMAP4 ready
   C: a01 login {9}
   S: + OK
   C: user\name "pass\"word"
   S: * BAD internal server error

resulted in "Auth-User: username" instead of "Auth-User: user\name"
as it should.

Fix is to apply backslash filtering on per-argument basis during parsing.
Mail: removed dead s->arg_start handling. 2021-05-19T00:13:22+00:00 Maxim Dounin mdounin@mdounin.ru 2021-05-19T00:13:22+00:00 fabe28259f4e191fee660a240ba347a0a8d2f1dc As discussed in the previous change, s->arg_start handling in the "done" labels of ngx_mail_pop3_parse_command(), ngx_mail_imap_parse_command(), and ngx_mail_smtp_parse_command() is wrong: s->arg_start cannot be set there, as it is handled and cleared on all code paths where the "done" labels are reached. The relevant code is dead and now removed. 
As discussed in the previous change, s->arg_start handling in the "done"
labels of ngx_mail_pop3_parse_command(), ngx_mail_imap_parse_command(),
and ngx_mail_smtp_parse_command() is wrong: s->arg_start cannot be
set there, as it is handled and cleared on all code paths where the
"done" labels are reached.  The relevant code is dead and now removed.
Mail: fixed s->arg_start clearing on invalid IMAP commands. 2021-05-19T00:13:20+00:00 Maxim Dounin mdounin@mdounin.ru 2021-05-19T00:13:20+00:00 3c660ef59b545bf76f2fb2b6a37ca02bcae4b2fb Previously, s->arg_start was left intact after invalid IMAP commands, and this might result in an argument incorrectly added to the following command. Similarly, s->backslash was left intact as well, leading to unneeded backslash removal. For example (LFs from the client are explicitly shown as "<LF>"): S: * OK IMAP4 ready C: a01 login "\<LF> S: a01 BAD invalid command C: a0000000000\2 authenticate <LF> S: a00000000002 aBAD invalid command The backslash followed by LF generates invalid command with s->arg_start and s->backslash set, the following command incorrectly treats anything from the old s->arg_start to the space after the command as an argument, and removes the backslash from the tag. If there is no space, s->arg_end will be NULL. Both things seem to be harmless though. In particular: - This can be used to provide an incorrect argument to a command without arguments. The only command which seems to look at the single argument is AUTHENTICATE, and it checks the argument length before trying to access it. - Backslash removal uses the "end" pointer, and stops due to "src < end" condition instead of scanning all the process memory if s->arg_end is NULL (and arg[0].len is huge). - There should be no backslashes in unquoted strings. An obvious fix is to clear s->arg_start and s->backslash on invalid commands, similarly to how it is done in POP3 parsing (added in 810:e3aa8f305d21) and SMTP parsing. This, however, makes it clear that s->arg_start handling in the "done" label is wrong: s->arg_start cannot be legitimately set there, as it is expected to be cleared in all possible cases when the "done" label is reached. The relevant code is dead and will be removed by the following change. 
Previously, s->arg_start was left intact after invalid IMAP commands,
and this might result in an argument incorrectly added to the following
command.  Similarly, s->backslash was left intact as well, leading
to unneeded backslash removal.

For example (LFs from the client are explicitly shown as "<LF>"):

  S: * OK IMAP4 ready
  C: a01 login "\<LF>
  S: a01 BAD invalid command
  C: a0000000000\2 authenticate <LF>
  S: a00000000002 aBAD invalid command

The backslash followed by LF generates invalid command with s->arg_start
and s->backslash set, the following command incorrectly treats anything
from the old s->arg_start to the space after the command as an argument,
and removes the backslash from the tag.  If there is no space, s->arg_end
will be NULL.

Both things seem to be harmless though.  In particular:

- This can be used to provide an incorrect argument to a command without
  arguments.  The only command which seems to look at the single argument
  is AUTHENTICATE, and it checks the argument length before trying to
  access it.

- Backslash removal uses the "end" pointer, and stops due to "src < end"
  condition instead of scanning all the process memory if s->arg_end is
  NULL (and arg[0].len is huge).

- There should be no backslashes in unquoted strings.

An obvious fix is to clear s->arg_start and s->backslash on invalid commands,
similarly to how it is done in POP3 parsing (added in 810:e3aa8f305d21) and
SMTP parsing.

This, however, makes it clear that s->arg_start handling in the "done"
label is wrong: s->arg_start cannot be legitimately set there, as it
is expected to be cleared in all possible cases when the "done" label is
reached.  The relevant code is dead and will be removed by the following
change.
Mail: POP3 pipelining support. 2021-05-19T00:13:18+00:00 Maxim Dounin mdounin@mdounin.ru 2021-05-19T00:13:18+00:00 d96d60d2e0a41a4e01163f7e5d1835e028f94b72 The change is mostly the same as the SMTP one (04e43d03e153 and 3f5d0af4e40a), and ensures that nginx is able to properly handle or reject multiple POP3 commands, as required by the PIPELINING capability (RFC 2449). The s->cmd field is not really used and set for consistency. 
The change is mostly the same as the SMTP one (04e43d03e153 and 3f5d0af4e40a),
and ensures that nginx is able to properly handle or reject multiple POP3
commands, as required by the PIPELINING capability (RFC 2449).  The s->cmd
field is not really used and set for consistency.
Mail: optimized discarding invalid SMTP commands. 2021-05-19T00:13:17+00:00 Maxim Dounin mdounin@mdounin.ru 2021-05-19T00:13:17+00:00 317223cb56f70f3fc2eb646a78a8f0161cafa70b There is no need to scan buffer from s->buffer->pos, as we already scanned the buffer till "p" and wasn't able to find an LF. There is no real need for this change in SMTP, since it is at most a microoptimization of a non-common code path. Similar code in IMAP, however, will have to start scanning from "p" to be correct, since there can be newlines in IMAP literals. 
There is no need to scan buffer from s->buffer->pos, as we already scanned
the buffer till "p" and wasn't able to find an LF.

There is no real need for this change in SMTP, since it is at most a
microoptimization of a non-common code path.  Similar code in IMAP, however,
will have to start scanning from "p" to be correct, since there can be
newlines in IMAP literals.
Mail: fixed handling of invalid SMTP commands split between reads. 2021-05-19T00:13:15+00:00 Maxim Dounin mdounin@mdounin.ru 2021-05-19T00:13:15+00:00 204f944add09c43223de317451175d5fdb7d1fb0 Previously, if an invalid SMTP command was split between reads, nginx failed to wait for LF before returning an error, and interpreted the rest of the command received later as a separate command. The sw_invalid state in ngx_mail_smtp_parse_command(), introduced in 04e43d03e153, did not work, since ngx_mail_smtp_auth_state() clears s->state when returning an error due to NGX_MAIL_PARSE_INVALID_COMMAND. And not clearing s->state will introduce another problem: the rest of the command would trigger duplicate error when rest of the command is received. Fix is to return NGX_AGAIN from ngx_mail_smtp_parse_command() until full command is received. 
Previously, if an invalid SMTP command was split between reads, nginx failed
to wait for LF before returning an error, and interpreted the rest of the
command received later as a separate command.

The sw_invalid state in ngx_mail_smtp_parse_command(), introduced in
04e43d03e153, did not work, since ngx_mail_smtp_auth_state() clears
s->state when returning an error due to NGX_MAIL_PARSE_INVALID_COMMAND.
And not clearing s->state will introduce another problem: the rest
of the command would trigger duplicate error when rest of the command is
received.

Fix is to return NGX_AGAIN from ngx_mail_smtp_parse_command() until full
command is received.