On Mon, Apr 15, 2002 at 12:58:40AM +0900, Katsuhiro Kondou wrote: > > So your original problem cannot be reproduced > here. I've found and fixed the problem, it is a bug in nnrpd. It is allocating dynamic memory for the group name, taking a copy of the pointer to it, disposing of the memory, and then using the pointer. This might not show up on your system, depending on your heap management library. On my system (Debian testing) it does. I've attached a patch to fix this in nnrpd/group.c and also a print format typo in nnrpd/nnrpd.c. It seems to be a complete and necessary fix on my system, but I would welcome your reviewing of it for inclusion in mainstream INN, in particular that I have caught all the many exit paths out of CMDgroup(). Regards Nick Leverton -- Attached file included as plaintext by Ecartis -- diff -u -r -x*.o inn-STABLE-20020409/nnrpd/group.c inn-local-dev/nnrpd/group.c --- inn-STABLE-20020409/nnrpd/group.c Tue Apr 9 10:02:48 2002 +++ inn-local-dev/nnrpd/group.c Tue Apr 16 22:41:21 2002 @@ -35,14 +35,15 @@ Printf("%d No group specified\r\n", NNTP_XGTITLE_BAD); return; } else { - group = GRPcur; + group = COPY(GRPcur); } } else { - group = av[1]; + group = COPY(av[1]); } if (!OVgroupstats(group, &ARTlow, &ARThigh, &count, NULL)) { Reply("%s %s\r\n", NOSUCHGROUP, group); + DISPOSE(group); return; } @@ -57,6 +58,7 @@ if (reply != NULL) { syslog(L_TRACE, "PY_authorize() returned a refuse string for user %s at %s who wants to read %s: %s", PERMuser, ClientHost, group, reply); Reply("%d %s\r\n", NNTP_ACCESS_VAL, reply); + DISPOSE(group); return; } } @@ -69,10 +71,12 @@ grplist[1] = NULL; if (!PERMmatch(PERMreadlist, grplist)) { Reply("%s %s\r\n", NOSUCHGROUP, group); + DISPOSE(group); return; } } else { Reply("%s %s\r\n", NOSUCHGROUP, group); + DISPOSE(group); return; } @@ -114,6 +118,7 @@ Reply("%s %s\r\n", NOSUCHGROUP, group); } } + DISPOSE(group); } diff -u -r -x*.o inn-STABLE-20020409/nnrpd/nnrpd.c inn-local-dev/nnrpd/nnrpd.c --- inn-STABLE-20020409/nnrpd/nnrpd.c Tue Apr 9 10:02:48 2002 +++ inn-local-dev/nnrpd/nnrpd.c Tue Apr 16 23:24:52 2002 @@ -892,7 +892,7 @@ syslog(L_FATAL, "nnrpd %s must have group %s", innconf->pathrun, NEWSGRP); exit(1); } else if (pwd->pw_uid != Sb.st_uid) { - syslog(L_FATAL, "nnrpd % must be owned by %s", innconf->pathrun, NEWSUSER); + syslog(L_FATAL, "nnrpd %s must be owned by %s", innconf->pathrun, NEWSUSER); exit(1); }