[PATCH] inn crash fix
Andi Kleen
ak at suse.de
Thu Nov 18 16:26:32 UTC 1999
Hallo,
I had a uucp batch in my incoming that reliably crashed by innd on Linux/i386.
It seems innd does not like duplicated "Bytes:" headers, on the
second occurrence it tries to copy the header value into a not
allocated buffer.
This patch fixes it. It is relative inn-2.2.1 with Pekka Pietikainen
MaxHeaderLength() crash fix applied (so on vanilla 2.2.1 it may generate
some fuzz)
--- innd/art.c-o Thu Nov 18 16:20:26 1999
+++ innd/art.c Thu Nov 18 16:45:25 1999
@@ -827,6 +827,12 @@
*deltap = 0;
}
+ /* Happens for Bytes */
+ if (!hp->Allocated) {
+ *deltap = 0;
+ return in;
+ }
+
/* If body of header is all blanks, drop the header. */
for (p = colon + 1; ISWHITE(*p); p++)
continue;
-Andi
More information about the inn-bugs
mailing list