buffer overflow in innd/art.c (possibly serious)

Russ Allbery rra at stanford.edu
Wed Jan 7 22:13:22 UTC 2004


Dan Riley <dsr at mail.lns.cornell.edu> writes:

> innd (inn-STABLE-20030716, but it doesn't look like there are any
> relevant changes in inn-STABLE-20040107) crashed repeatedly on us today.
> Examining a core file showed the stack had been smashed, munging the
> value of the cp argument to ARTpost (and once that's pointing someplace
> crazy innd is pretty quickly toast).  Inserting a canary

>    CHANNEL *scp = cp;

> as the first auto variable, with a sprinkling of assert(scp == cp)
> throughout the routine, showed the damage was in this block of code in
> ARTpost (line 2187 or so):

Yup, thanks.  Fixing this now.  I'll send out a patch and a new release
ASAP.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>


More information about the inn-bugs mailing list