INN 2.3.1 - small bug in nnrpd

F. Senault fred at
Fri Mar 2 00:23:35 UTC 2001


While filddling with some scripts, I discovered a very minor bug in
nnrpd version 2.3.1.

I tried to use the xhdr command for the Xref header, and a space was
missing between the server name and the newsgroup name :

> xhdr Xref <ivit9tk8 at aldur.mims.local>
< 221 0 Xref header of article <ivit9tk8 at aldur.mims.local>.
< <ivit9tk8 at aldur.mims.local> glenmorangie.lacave.netmims.admin.test:6
                                                    ^^ Here !

After some investigation, I found that it occured only with a) a virtual
server and b) a message ID for parameter.

A quick grep in the sources later, I find why.  The xhdr command is
treated in nnrpd/article.c, function CMDxhdr.  If an article ID is used
for the search, it calls the function GetHeader.  Otherwise, as the Xref
header is in my overview database, it's another function that's called
(OVERGetHeader) if I understand correctly.

In the GetHeader function, there's a special case for the Xref header
with the virtual path.  It seems that in that case, the actual server
name is replaced by the virtual server name, with two memcpy.  In that
operation, there is a pointer that finds the first space in the header
and that keeps skipping spaces until the first letter of the group.
Then, the remaining of the string is memcpy'd into the return value,
just after the virtualhostname *without any spaces*.

I just took the char before the beginning of the group name, wich has to
be a space.  Higher in the code, the buffer is given the good length
(same mechanism for Xref and Path).  So far, it works for me.

With less words and more code :

news at aldur:/usr/src/inn-2.3.1/nnrpd > diff article.c.orig article.c

<                   memcpy(retval + VirtualPathlen - 1, r, q - r);
<                   *(retval + (int)(q - r) + VirtualPathlen - 1) = '\0';
>                   memcpy(retval + VirtualPathlen - 1, r - 1, q - r + 1);
>                   *(retval + (int)(q - r) + VirtualPathlen) = '\0';

Hope this helps and thanks for that great software !


/* This function is BOOL but actually returns TRUE,
FALSE and -2 because I've no time to change it
to int */
                                     (Computer Stupidities, programming)            

More information about the inn-bugs mailing list