expireover segfaults

Alex Kiernan alexk at demon.net
Wed Jul 3 12:50:06 UTC 2002


Bernd Jendrissek <berndj at prism.co.za> writes:

> [Cc'ed replies would be appreciated; I'm not on the list but I do read
> news.software.nntp - feel free to mail2news this there (I can't post)]
> 
> Every night at 4:02, crond runs "/usr/bin/news.daily delayrm expireover".
> About a minute after that expireover segfaults and I find a notice in my
> mailbox.
> 
> I have now patched up to INN 2.3.3, but the problem persists.  Here's the
> data, please ask for more if needed.
> 
> gdb /usr/bin/expireover core:
> 
> (gdb) bt
> #0  0x40023085 in OVERGetHeader (
>     p=0x28407f8a <Address 0x28407f8a out of bounds>, field=3) at ov.c:970
> #1  0x40023998 in OVhisthasmsgid () at ov.c:1050
> #2  0x400323bf in buffindexed_expiregroup () at buffindexed.c:1751
> #3  0x40021c43 in OVexpiregroup () at ov.c:316
> #4  0x804924a in main (argc=2, argv=0xbffffd54) at expireover.c:165
> (gdb) list
> 965         char                *next, *q;
> 966
> 967         fp = &ARTfields[field];
> 968
> 969         /* Skip leading headers. */
> 970         for (; field-- >= 0 && *p; p++)
> 971             if ((p = strchr(p, '\t')) == NULL)
> 972                 return NULL;
> 973         if (*p == '\0')
> 974             return NULL;
> 

At a guess, you've an overview record which is missing a field (can
you manage to capture p on entry to the function before its tried
walking the list?); innd sometimes seems to do this sometimes, I've an
article which generates this behaviour reliably, I just haven't had
time to debug it yet.

The code in question isn't very robust, p isn't necessarily null
terminated, so the strchr wanders off the end happily.

I fixed this up in nnrpd for -current; didn't realise it was copied
into two places though :(

-- 
Alex Kiernan, Principal Engineer, Development, THUS plc


More information about the inn-bugs mailing list