Seg fault found in expireover
Andrew Stribblehill
a.d.stribblehill at durham.ac.uk
Mon Apr 23 15:33:11 UTC 2001
Whilst running expireover as part of news.daily on a Debian GNU/Linux
i386 SMP box, I was getting a segmentation fault each day, preceeded
by a few "Bad entry:" messages. This seems to be a problem in the
storage/ov.c code, function OVgroupbasedexpire. It malloc()s a string
of size strlen(Group) + 1 chars long, copies Group into it then
appends ":" to it. This is obviously writing beyond its means by 1
byte.
The offending code:
Starts at storage/ov.c +1101
...
if ((Xref = OVERGetHeader(data, Xrefindex)) == NULL) {
if (Group != NULL) {
DISPOSE(Group);
}
Group = NEW(char, strlen(group) + 1);
strcpy(Group, group);
strcat(Group, ":");
Xref = Group;
} else {
...
Ends at storage/ov.c +1109
---------snip here--------------------------------
--- storage/ov.c- Thu Jan 11 08:55:23 2001
+++ storage/ov.c Mon Apr 23 11:48:12 2001
@@ -1102,7 +1102,7 @@
if (Group != NULL) {
DISPOSE(Group);
}
- Group = NEW(char, strlen(group) + 1);
+ Group = NEW(char, strlen(group) + 2);
strcpy(Group, group);
strcat(Group, ":");
Xref = Group;
---------snip here--------------------------------
--
Andrew Stribblehill
Systems programmer, IT Service, University of Durham, England
More information about the inn-bugs
mailing list