innd 2.2.1 and 2.2 crash on invalid Distribution: header

Tomasz R. Surmacz tsurmacz at ict.pwr.wroc.pl
Thu Nov 18 19:46:26 UTC 1999 

I wrote on Thu, Nov 18, 1999 at 03:26:03PM +0100:
> Problem:
> If newsfeeds file contains a list of distributions, ie:
> 
> 	ME:*/world,pl,pl-news,wroc::
> 
> and an article arrives (using IHAVE protocol from another peer) that has the
> following header:
> 
> 	Distribution: ,
> 
> then the server crashes in MaxLength (p=0x0, q=0x0) at innd.c:136,
> called from ARTpost at art.c:2292, where distribution!=NULL, but
> (*distribution)==NULL, and in the following code:
...

> the article.  Here is the patch:
> 
> --- art.c.orig	Mon May  3 19:58:11 1999
> +++ art.c	Thu Nov 18 00:15:40 1999
> @@ -2285,7 +2287,7 @@
>      /* If we limit what distributions we get, see if we want this one. */
>      p = HDR(_distribution);
>      distributions = *p ? CommaSplit(p) : NULL;
> -    if (distributions) {
> +    if (distributions && distributions[0]) {
>  	DISTparse(distributions, &Data);
>  	if (ME.Distributions
>  	 && !DISTwantany(ME.Distributions, distributions)) {

Actually, a better patch would be as follows:

(applied *instead* of the above patch)

--- art.c.orig	Sun Aug  8 23:56:53 1999
+++ art.c	Thu Nov 18 20:17:51 1999
@@ -2291,7 +2293,7 @@
 	 && !DISTwantany(ME.Distributions, distributions)) {
 	    (void)sprintf(buff, "%d Unwanted distribution \"%s\"",
 		    NNTP_REJECTIT_VAL,
-		    MaxLength(distributions[0], distributions[0]));
+		    distributions[0]?MaxLength(distributions[0], distributions[0]):"");
 	    ARTlog(&Data, ART_REJECT, buff);
             if (innconf->remembertrash && (Mode == OMrunning) &&
 				!HISremember(hash))

as it prevents innd from dumping core on MaxLength() call, yet it rejects
the article properly and disposes of all allocated memory just after
rejection, instead of some time later which might, or might not happen.

It may be worth considering another modification like this:

2293          if ((distributions[0]==NULL) || (ME.Distributions
2294           && !DISTwantany(ME.Distributions, distributions))) {

which would reject a message with a malformed Distribution: header, even
if innd is willing to accept all the distributions.  This however will
probably not match things like "Distribution: world," and may be expanded
to check this header in more detail.

Tomasz Surmacz

-- 
 _________
(_   _' __) Tomasz R. Surmacz *--* Work:(071)320-2752 tsurmacz at ict.pwr,wroc.pl
  |  (__  \ http://www.ict.pwr.wroc.pl/~tsurmacz/ *---* Home: ts @wroc,apk,net
  |__(____/ For PGP key finger tsurmacz at asic.ict,pwr,wroc.pl *---* irc: TomekS

More information about the inn-bugs mailing list