Seg fault found in expireover

Andrew Stribblehill a.d.stribblehill at durham.ac.uk
Mon Apr 23 15:33:11 UTC 2001



Whilst running expireover as part of news.daily on a Debian GNU/Linux
i386 SMP box, I was getting a segmentation fault each day, preceeded
by a few "Bad entry:" messages. This seems to be a problem in the
storage/ov.c code, function OVgroupbasedexpire. It malloc()s a string
of size strlen(Group) + 1 chars long, copies Group into it then
appends ":" to it. This is obviously writing beyond its means by 1
byte.

The offending code:

Starts at storage/ov.c +1101
...
    if ((Xref = OVERGetHeader(data, Xrefindex)) == NULL) {
        if (Group != NULL) {
            DISPOSE(Group);
        }
        Group = NEW(char, strlen(group) + 1);
        strcpy(Group, group);
        strcat(Group, ":");
        Xref = Group;
    } else {
...
Ends at storage/ov.c +1109

---------snip here--------------------------------
--- storage/ov.c-	Thu Jan 11 08:55:23 2001
+++ storage/ov.c	Mon Apr 23 11:48:12 2001
@@ -1102,7 +1102,7 @@
 	if (Group != NULL) {
 	    DISPOSE(Group);
 	}
-	Group = NEW(char, strlen(group) + 1);
+	Group = NEW(char, strlen(group) + 2);
 	strcpy(Group, group);
 	strcat(Group, ":");
 	Xref = Group;
---------snip here--------------------------------


-- 
Andrew Stribblehill
Systems programmer, IT Service, University of Durham, England


More information about the inn-bugs mailing list