buffer overflow in innd/art.c (possibly serious)
Russ Allbery
rra at stanford.edu
Wed Jan 7 22:27:41 UTC 2004
Russ Allbery <rra at stanford.edu> writes:
> Yup, thanks. Fixing this now. I'll send out a patch and a new release
> ASAP.
Here is a patch:
--- art.c 2003/07/12 19:40:34 1.212.2.2
+++ art.c 2004/01/07 22:25:39 1.212.2.3
@@ -1,4 +1,4 @@
-/* $Id: art.c,v 1.212.2.2 2003/07/12 19:40:34 rra Exp $
+/* $Id: art.c,v 1.212.2.3 2004/01/07 22:25:39 rra Exp $
**
** Article-processing.
*/
@@ -1773,7 +1773,7 @@ ARTmakeoverview(CHANNEL *cp)
bool
ARTpost(CHANNEL *cp)
{
- char *p, **groups, ControlWord[SMBUF], tmpbuff[32], **hops;
+ char *p, **groups, ControlWord[SMBUF], **hops, *controlgroup;
int i, j, *isp, hopcount, oerrno, canpost;
NEWSGROUP *ngp, **ngptr;
SITE *sp;
@@ -2184,9 +2184,10 @@ ARTpost(CHANNEL *cp)
* or control. */
if (IsControl && Accepted && !ToGroup) {
ControlStore = true;
- FileGlue(tmpbuff, "control", '.', ControlWord);
- if ((ngp = NGfind(tmpbuff)) == NULL)
+ controlgroup = concat("control.", ControlWord, (char *) 0);
+ if ((ngp = NGfind(controlgroup)) == NULL)
ngp = NGfind(ARTctl);
+ free(controlgroup);
ngp->PostCount = 0;
ngptr = GroupPointers;
*ngptr++ = ngp;
--
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the inn-bugs
mailing list