FramingParser can crash when single CR is inside DQUOTE string (#779)

Author: danieleggert

Diff for: Sources/CLI/main.swift

@@ -31,13 +31,17 @@ logger.info("Great! Connecting to \(hostname)")
 
 let sslContext = try NIOSSLContext(configuration: .clientDefault)
 let group = MultiThreadedEventLoopGroup(numberOfThreads: 1)
-let channel = try ClientBootstrap(group: group).channelInitializer { (channel) -> EventLoopFuture<Void> in
-    channel.pipeline.addHandlers([
-        try! NIOSSLClientHandler(context: sslContext, serverHostname: hostname),
-        ResponseRoundtripHandler(logger: logger),
-        CommandRoundtripHandler(logger: logger),
-    ])
-}.connect(host: hostname, port: 993).wait()
+let channel = try ClientBootstrap(group: group)
+    .channelInitializer { (channel) -> EventLoopFuture<Void> in
+        channel.eventLoop.makeCompletedFuture {
+            try! channel.pipeline.syncOperations.addHandlers([
+                try! NIOSSLClientHandler(context: sslContext, serverHostname: hostname),
+                ResponseRoundtripHandler(logger: logger),
+                CommandRoundtripHandler(logger: logger),
+            ])
+        }
+    }
+    .connect(host: hostname, port: 993).wait()
 
 _ = channel.closeFuture.always { result in
     switch result {

Diff for: Sources/NIOIMAP/Client/FramingParser.swift

@@ -343,22 +343,11 @@ extension FramingParser {
     private mutating func readByte_state_normalTraversal(lineFeedStrategy: LineFeedByteStrategy) -> FrameStatus {
         let byte = self.readByte()
         switch byte {
-        case CR:
-            self.readByte_state_foundCR()
-            return .parsedCompleteFrame
-
-        case LF:
-            switch lineFeedStrategy {
-            case .ignoreFirst:
-                precondition(self.frameLength == 1)
-                self.stepBackAndIgnoreByte()
-                self.state = .normalTraversal(.includeInFrame)
-                return .continueParsing
-            case .includeInFrame:
-                // if we weren't meant to ignore the LF then it
-                // must be the end of the current frame
-                return .parsedCompleteFrame
-            }
+        case CR, LF:
+            return processLineBreakByte_state(
+                byte: byte,
+                lineFeedStrategy: lineFeedStrategy
+            )
 
         case LITERAL_HEADER_START:
             self.state = .searchingForLiteralHeader(.findingBinaryFlag)
@@ -384,7 +373,10 @@ extension FramingParser {
             // parts (notably `text`) is allowed to have _any_ character
             // (except CR or LF).
             // Thus, fall through to “normal” state:
-            return readByte_state_normalTraversal(lineFeedStrategy: .includeInFrame)
+            return processLineBreakByte_state(
+                byte: byte,
+                lineFeedStrategy: .includeInFrame
+            )
 
         case (ESCAPE, .normal):
             self.state = .insideQuoted(.escaped)
@@ -403,6 +395,32 @@ extension FramingParser {
         }
     }
 
+    private mutating func processLineBreakByte_state(
+        byte: UInt8,
+        lineFeedStrategy: LineFeedByteStrategy
+    ) -> FrameStatus {
+        switch byte {
+        case CR:
+            self.readByte_state_foundCR()
+            return .parsedCompleteFrame
+
+        case LF:
+            switch lineFeedStrategy {
+            case .ignoreFirst:
+                precondition(self.frameLength == 1)
+                self.stepBackAndIgnoreByte()
+                self.state = .normalTraversal(.includeInFrame)
+                return .continueParsing
+            case .includeInFrame:
+                // if we weren't meant to ignore the LF then it
+                // must be the end of the current frame
+                return .parsedCompleteFrame
+            }
+        default:
+            fatalError()
+        }
+    }
+
     private mutating func readByte_state_foundCR() {
         guard let byte = self.peekByte() else {
             // As we don't yet have the next byte we have to assume

Diff for: Sources/Proxy/MailClientToProxyHandler.swift

@@ -37,17 +37,19 @@ class MailClientToProxyHandler: ChannelInboundHandler {
         let boundContext = NIOLoopBound(context, eventLoop: context.eventLoop)
         let boundSelf = NIOLoopBound(self, eventLoop: context.eventLoop)
         ClientBootstrap(group: context.eventLoop).channelInitializer { channel in
-            let sslHandler = try! NIOSSLClientHandler(
-                context: NIOSSLContext(configuration: .clientDefault),
-                serverHostname: serverHost
-            )
-            return channel.pipeline.addHandlers([
-                sslHandler,
-                OutboundPrintHandler(type: "CLIENT (Encoded)"),
-                InboundPrintHandler(type: "SERVER (Original)"),
-                IMAPClientHandler(encodingChangeCallback: { _, _ in }),
-                ProxyToMailServerHandler(mailAppToProxyChannel: mailClientToProxyChannel),
-            ])
+            channel.eventLoop.makeCompletedFuture {
+                let sslHandler = try! NIOSSLClientHandler(
+                    context: NIOSSLContext(configuration: .clientDefault),
+                    serverHostname: serverHost
+                )
+                try! channel.pipeline.syncOperations.addHandlers([
+                    sslHandler,
+                    OutboundPrintHandler(type: "CLIENT (Encoded)"),
+                    InboundPrintHandler(type: "SERVER (Original)"),
+                    IMAPClientHandler(encodingChangeCallback: { _, _ in }),
+                    ProxyToMailServerHandler(mailAppToProxyChannel: mailClientToProxyChannel),
+                ])
+            }
         }.connect(host: serverHost, port: self.serverPort).map { channel in
             boundSelf.value.clientChannel = channel
             channel.closeFuture.whenSuccess {

Diff for: Sources/Proxy/main.swift

@@ -40,27 +40,30 @@ guard CommandLine.arguments.count == 5 else {
 
 let host = CommandLine.arguments[1]
 guard let port = Int(CommandLine.arguments[2]) else {
-    print("Invalid port, coudln't convert to an integer")
+    print("Invalid port, couldn't convert to an integer")
     exit(1)
 }
 
 let serverHost = CommandLine.arguments[3]
 guard let serverPort = Int(CommandLine.arguments[4]) else {
-    print("Invalid server port, coudln't convert to an integer")
+    print("Invalid server port, couldn't convert to an integer")
     exit(1)
 }
 
 // MARK: - Run
 
-try ServerBootstrap(group: eventLoopGroup).childChannelInitializer { channel -> EventLoopFuture<Void> in
-    channel.pipeline.addHandlers([
-        InboundPrintHandler(type: "CLIENT (Original)"),
-        OutboundPrintHandler(type: "SERVER (Decoded)"),
-        ByteToMessageHandler(FrameDecoder()),
-        IMAPServerHandler(),
-        MailClientToProxyHandler(serverHost: serverHost, serverPort: serverPort),
-    ])
-}
-.serverChannelOption(ChannelOptions.socket(SocketOptionLevel(SOL_SOCKET), SO_REUSEADDR), value: 1)
-.bind(host: host, port: port).wait()
-.closeFuture.wait()
+try ServerBootstrap(group: eventLoopGroup)
+    .childChannelInitializer { channel -> EventLoopFuture<Void> in
+        channel.eventLoop.makeCompletedFuture {
+            try! channel.pipeline.syncOperations.addHandlers([
+                InboundPrintHandler(type: "CLIENT (Original)"),
+                OutboundPrintHandler(type: "SERVER (Decoded)"),
+                ByteToMessageHandler(FrameDecoder()),
+                IMAPServerHandler(),
+                MailClientToProxyHandler(serverHost: serverHost, serverPort: serverPort),
+            ])
+        }
+    }
+    .serverChannelOption(ChannelOptions.socket(SocketOptionLevel(SOL_SOCKET), SO_REUSEADDR), value: 1)
+    .bind(host: host, port: port).wait()
+    .closeFuture.wait()

Diff for: Tests/NIOIMAPTests/FramingParserTests.swift

@@ -58,6 +58,26 @@ extension FramingParserTests {
         }
     }
 
+    func testSingleQuoteInLine_CR_lineBreak() {
+        // RFC 3501 allows un-matched `"` in `text` parts, such as the text of an untagged OK response.
+        //
+        // Test that this:
+        //
+        // S: * OK Hello " foo
+        // S: * NO Hello bar
+        //
+        // gets parsed into the corresponding two frames / lines.
+        do {
+            var buffer: ByteBuffer = "* OK Hello \" foo\r"
+            XCTAssertEqual(try self.parser.appendAndFrameBuffer(&buffer), [.complete("* OK Hello \" foo\r")])
+        }
+        // Check that the next line parses:
+        do {
+            var buffer: ByteBuffer = "* NO Hello bar\r"
+            XCTAssertEqual(try self.parser.appendAndFrameBuffer(&buffer), [.complete("* NO Hello bar\r")])
+        }
+    }
+
     func testCommandWithQuoted() {
         var buffer: ByteBuffer = "A1 LOGIN \"foo\" \"bar\"\r\n"
         XCTAssertEqual(try self.parser.appendAndFrameBuffer(&buffer), [.complete("A1 LOGIN \"foo\" \"bar\"\r\n")])

Diff for: Tests/NIOIMAPTests/IntegrationTests.swift

@@ -62,11 +62,13 @@ final class ParserIntegrationTests: XCTestCase {
             server = try ServerBootstrap(group: group)
                 .serverChannelOption(ChannelOptions.socket(.init(SOL_SOCKET), .init(SO_REUSEADDR)), value: 1)
                 .childChannelInitializer { channel in
-                    channel.pipeline.addHandlers(
-                        ByteToMessageHandler(FrameDecoder()),
-                        IMAPServerHandler(),
-                        CollectEverythingHandler(collectionDonePromise: collectionDonePromise)
-                    )
+                    channel.eventLoop.makeCompletedFuture {
+                        try! channel.pipeline.syncOperations.addHandlers([
+                            ByteToMessageHandler(FrameDecoder()),
+                            IMAPServerHandler(),
+                            CollectEverythingHandler(collectionDonePromise: collectionDonePromise),
+                        ])
+                    }
                 }
                 .bind(to: .init(ipAddress: "127.0.0.1", port: 0))
                 .wait()