Comment 3 for bug 791758

Timo Sirainen explained in an e-mail to Steve and me, adding to his earlier comments on Debian's <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=627443#15>: "In v1.0 having a NUL inside header name truncates the header, but I wouldn't call that a security hole. I think even with the v1.1+ patches the header name probably gets truncated in different places. NULs aren't valid in header names, so it doesn't matter that much.

The bug with v1.1+ was that "name" string contained less data than was in "name_len". With v1.0 the code is:

  line->name = str_c(ctx->name);
  line->name_len = str_len(ctx->name);

So name_len isn't larger than name. There is no reading outside allocated buffer."

Apparently a malformed header can't lead to a service crash as in later Dovecot branches; still, if mailbox corruption can happen due to mishandling of malformed headers, as in Steve tests, this is an issue of potential data loss. If only the malformed header line is partially lost, that would be tolerable; if a user's mbox files can get truncated because of malformed header lines, that would be an issue that should be addressed...

@Steve: what happend when you reproduced the issue in Dovecot on Hardy? Just partially lost header lines or corruption of whole mbox files?

Thanks again,

Hannes