buffer overflow in innd/art.c (possibly serious)

Russ Allbery rra at stanford.edu
Wed Jan 7 22:27:41 UTC 2004


Russ Allbery <rra at stanford.edu> writes:

> Yup, thanks.  Fixing this now.  I'll send out a patch and a new release
> ASAP.

Here is a patch:

--- art.c       2003/07/12 19:40:34     1.212.2.2
+++ art.c       2004/01/07 22:25:39     1.212.2.3
@@ -1,4 +1,4 @@
-/*  $Id: art.c,v 1.212.2.2 2003/07/12 19:40:34 rra Exp $
+/*  $Id: art.c,v 1.212.2.3 2004/01/07 22:25:39 rra Exp $
 **
 **  Article-processing.
 */
@@ -1773,7 +1773,7 @@ ARTmakeoverview(CHANNEL *cp)
 bool
 ARTpost(CHANNEL *cp)
 {
-  char         *p, **groups, ControlWord[SMBUF], tmpbuff[32], **hops;
+  char         *p, **groups, ControlWord[SMBUF], **hops, *controlgroup;
   int          i, j, *isp, hopcount, oerrno, canpost;
   NEWSGROUP    *ngp, **ngptr;
   SITE         *sp;
@@ -2184,9 +2184,10 @@ ARTpost(CHANNEL *cp)
    * or control. */
   if (IsControl && Accepted && !ToGroup) {
     ControlStore = true;
-    FileGlue(tmpbuff, "control", '.', ControlWord);
-    if ((ngp = NGfind(tmpbuff)) == NULL)
+    controlgroup = concat("control.", ControlWord, (char *) 0);
+    if ((ngp = NGfind(controlgroup)) == NULL)
       ngp = NGfind(ARTctl);
+    free(controlgroup);
     ngp->PostCount = 0;
     ngptr = GroupPointers;
     *ngptr++ = ngp;

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>


More information about the inn-bugs mailing list