Reject negative MAIL FROM SIZE parameters

emersion · Aug 14, 2023 · d666ea9 · d666ea9
1 parent 7a3ee4f
commit d666ea9
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 3 deletions.
diff --git a/conn.go b/conn.go
@@ -315,18 +315,18 @@ func (c *Conn) handleMail(arg string) {
 	for key, value := range args {
 		switch key {
 		case "SIZE":
-			size, err := strconv.ParseInt(value, 10, 32)
+			size, err := strconv.ParseUint(value, 10, 32)
 			if err != nil {
 				c.writeResponse(501, EnhancedCode{5, 5, 4}, "Unable to parse SIZE as an integer")
 				return
 			}
 
-			if c.server.MaxMessageBytes > 0 && size > c.server.MaxMessageBytes {
+			if c.server.MaxMessageBytes > 0 && int64(size) > c.server.MaxMessageBytes {
 				c.writeResponse(552, EnhancedCode{5, 3, 4}, "Max message size exceeded")
 				return
 			}
 
-			opts.Size = size
+			opts.Size = int64(size)
 		case "SMTPUTF8":
 			if !c.server.EnableSMTPUTF8 {
 				c.writeResponse(504, EnhancedCode{5, 5, 4}, "SMTPUTF8 is not implemented")

diff --git a/server_test.go b/server_test.go
@@ -514,6 +514,8 @@ func TestServerTooBig(t *testing.T) {
 	defer s.Close()
 	defer c.Close()
 
+	s.MaxMessageBytes = 4294967294
+
 	io.WriteString(c, "MAIL FROM:<[email protected]> SIZE=4294967295\r\n")
 	scanner.Scan()
 	if strings.HasPrefix(scanner.Text(), "250 ") {