INN commit: trunk (12 files)
INN Commit
rra at isc.org
Sat Jul 17 08:28:39 UTC 2010
Date: Saturday, July 17, 2010 @ 01:28:37
Author: iulius
Revision: 9084
A single header field line is limited to 998 bytes, per RFC 5536.
innd was previously accepting, and also generating Xref: header field
lines, up to 1022 bytes.
Use new MAXARTLINELENGTH and MED_BUFFER constants instead of
MAXHEADERSIZE in the code.
Update the test suite.
Meanwhile, fix two bugs in the generation of the Xref: header field:
* When resizing the buffer, extra place for a CRLF that may be added
by a continuation line is not taken into account. Consequently,
when p[0] = '\r' and p[1] = '\n' are used, a segfault may occur.
* When comparing to MAXARTLINELENGTH, the final CRLF is not taken into
account ("+2" is missing in the count), so the generated Xref: header
field might end up with 1002 bytes!
Modified:
trunk/doc/pod/news.pod
trunk/frontends/ovdb_init.c
trunk/history/hisv6/hisv6.c
trunk/include/inn/options.h
trunk/innd/art.c
trunk/innd/nc.c
trunk/innd/python.c
trunk/storage/ovdb/ovdb.c
trunk/tests/data/articles/5
trunk/tests/data/articles/bad-long-cont
trunk/tests/data/articles/bad-long-hdr
trunk/tests/innd/artparse-t.c
-----------------------------------+
doc/pod/news.pod | 6 ++++++
frontends/ovdb_init.c | 4 ++--
history/hisv6/hisv6.c | 2 +-
include/inn/options.h | 20 +++++++++++---------
innd/art.c | 26 +++++++++++++++-----------
innd/nc.c | 16 ++++++++--------
innd/python.c | 4 ++--
storage/ovdb/ovdb.c | 2 +-
tests/data/articles/bad-long-cont | 4 ++--
tests/data/articles/bad-long-hdr | 4 ++--
tests/innd/artparse-t.c | 4 ++--
11 files changed, 52 insertions(+), 40 deletions(-)
Modified: doc/pod/news.pod
===================================================================
--- doc/pod/news.pod 2010-07-11 09:28:55 UTC (rev 9083)
+++ doc/pod/news.pod 2010-07-17 08:28:37 UTC (rev 9084)
@@ -115,6 +115,12 @@
by B<cnfsheadconf>. There previoulsy was a confusion between hexadecimal
and decimal values. Thanks again to John S<F. Morse>.
+=item *
+
+A single header field line is limited to 998 bytes, per S<RFC 5536>.
+B<innd> was previously accepting, and also generating Xref: header field
+lines, up to 1022 bytes.
+
=back
=head1 Changes in 2.5.2
Modified: frontends/ovdb_init.c
===================================================================
--- frontends/ovdb_init.c 2010-07-11 09:28:55 UTC (rev 9083)
+++ frontends/ovdb_init.c 2010-07-17 08:28:37 UTC (rev 9084)
@@ -91,7 +91,7 @@
group_id_t gid, higid = 0, higidbang = 0;
struct groupinfo gi;
struct groupstats gs;
- char group[MAXHEADERSIZE];
+ char group[MED_BUFFER];
u_int32_t v2 = 2;
int ret;
@@ -121,7 +121,7 @@
memcpy(&higidbang, val.data, sizeof(group_id_t));
continue;
}
- if(key.size >= MAXHEADERSIZE)
+ if(key.size >= MED_BUFFER)
continue;
memcpy(group, key.data, key.size);
group[key.size] = 0;
Modified: history/hisv6/hisv6.c
===================================================================
--- history/hisv6/hisv6.c 2010-07-11 09:28:55 UTC (rev 9083)
+++ history/hisv6/hisv6.c 2010-07-17 08:28:37 UTC (rev 9084)
@@ -1133,7 +1133,7 @@
/* check if we've seen this message id already */
if (hiscookie->new && dbzexists(*hash)) {
- /* continue after duplicates, it serious, but not fatal */
+ /* continue after duplicates, it's serious, but not fatal */
hisv6_seterror(h, concat("duplicate message-id [",
HashToText(*hash), "] in history ",
hiscookie->new->histpath, NULL));
Modified: include/inn/options.h
===================================================================
--- include/inn/options.h 2010-07-11 09:28:55 UTC (rev 9083)
+++ include/inn/options.h 2010-07-17 08:28:37 UTC (rev 9084)
@@ -107,22 +107,24 @@
#define LOW_WATER (1 * 1024)
#define GROW_AMOUNT(x) ((x) < 128 * 1024 ? (x) : 128 * 1024)
+/* The maximum length of a single header or body line, including CRLF. */
+#define MAXARTLINELENGTH 1000
+
+/* The size of a small buffer. */
+#define SMBUF 256
+
+/* The size of a medium buffer. It should be greater than MAXARTLINELENGTH
+ * because it is sometimes used as a good guess at a buffer size for some
+ * header parsing code.*/
+#define MED_BUFFER 1024
+
/* The size of a large buffer. Free dynamically allocated buffers larger
than this when we're done with them. */
#define BIG_BUFFER (2 * START_BUFF_SIZE)
-/* The maximum length of a single header, used as a good guess at a buffer
- size for some header parsing code. This is currently also used by innd
- to determine whether to reject a message for an excessively long header;
- this behavior should be fixed. FIXME */
-#define MAXHEADERSIZE 1024
-
/* Default buffer size for outgoing feeds from innd. */
#define SITE_BUFFER_SIZE (16 * 1024)
-/* The size of a small buffer. */
-#define SMBUF 256
-
/* Maximum size of a pathname in the spool directory. */
#define SPOOLNAMEBUFF 512
Modified: innd/art.c
===================================================================
--- innd/art.c 2010-07-11 09:28:55 UTC (rev 9083)
+++ innd/art.c 2010-07-17 08:28:37 UTC (rev 9084)
@@ -845,7 +845,8 @@
length = i - data->LastCRLF - 1;
if (data->LastCRLF == cp->Start)
length++;
- if (length > MAXHEADERSIZE)
+ /* length includes final CRLF. */
+ if (length > MAXARTLINELENGTH)
ARTerror(cp, "Header line too long (%lu bytes)", length);
/* Be a little tricky here. Normally, the headers end at the
@@ -1397,7 +1398,7 @@
}
/*
-** Assign article numbers to the article and create the Xref line.
+** Assign article numbers to the article and create the Xref: header field.
** If we end up not being able to write the article, we'll get "holes"
** in the directory and active file.
*/
@@ -1409,7 +1410,7 @@
NEWSGROUP *ngp;
if (data->XrefBufLength == 0) {
- data->XrefBufLength = MAXHEADERSIZE * 2 + 1;
+ data->XrefBufLength = MED_BUFFER * 2 + 1;
data->Xref = xmalloc(data->XrefBufLength);
strncpy(data->Xref, Path.data, Path.used - 1);
}
@@ -1429,14 +1430,16 @@
continue;
}
ngp->Filenum = ngp->Last;
- /* len ' ' "news_groupname" ':' "#" "\r\n" */
- if (len + 1 + ngp->NameLength + 1 + 10 + 2 > data->XrefBufLength) {
- data->XrefBufLength += MAXHEADERSIZE;
+ /* len ' ' "news_groupname" ':' "#" "\r\n"
+ plus an extra 2 bytes for "\r\n" in case of a continuation line. */
+ if (len + 1 + ngp->NameLength + 1 + 10 + 2 + 2 > data->XrefBufLength) {
+ data->XrefBufLength += MED_BUFFER;
data->Xref = xrealloc(data->Xref, data->XrefBufLength);
p = data->Xref + len;
}
- if (linelen + 1 + ngp->NameLength + 1 + 10 > MAXHEADERSIZE) {
- /* line exceeded */
+ /* Trailing CRLF is counted in the maximum length. */
+ if (linelen + 1 + ngp->NameLength + 1 + 10 + 2 > MAXARTLINELENGTH) {
+ /* Line exceeded. */
sprintf(p, "\r\n %s:%lu", ngp->Name, ngp->Filenum);
buflen = strlen(p);
linelen = buflen - 2;
@@ -1449,10 +1452,11 @@
p += buflen;
}
/* p[0] is replaced with '\r' to be wireformatted when stored. p[1] needs to
- be '\n' */
+ be '\n'. We have enough place to modify p here (checked during the
+ reallocation above). */
p[0] = '\r';
p[1] = '\n';
- /* data->XrefLength includes trailing "\r\n" */
+ /* data->XrefLength includes trailing "\r\n". */
data->XrefLength = len + 2;
data->Replic = q + 1;
data->ReplicLength = len - (q + 1 - data->Xref);
@@ -1819,7 +1823,7 @@
}
/* Setup. */
- buffer_resize(overview, MAXHEADERSIZE);
+ buffer_resize(overview, MED_BUFFER);
buffer_set(overview, "", 0);
/* Write the data, a field at a time. */
Modified: innd/nc.c
===================================================================
--- innd/nc.c 2010-07-11 09:28:55 UTC (rev 9083)
+++ innd/nc.c 2010-07-17 08:28:37 UTC (rev 9084)
@@ -674,10 +674,10 @@
if (cp->Sendid.size < msglen) {
if (cp->Sendid.size > 0)
free(cp->Sendid.data);
- if (msglen > MAXHEADERSIZE)
+ if (msglen > MED_BUFFER)
cp->Sendid.size = msglen;
else
- cp->Sendid.size = MAXHEADERSIZE;
+ cp->Sendid.size = MED_BUFFER;
cp->Sendid.data = xmalloc(cp->Sendid.size);
}
snprintf(cp->Sendid.data, cp->Sendid.size, "%d %.200s",
@@ -701,10 +701,10 @@
if (cp->Sendid.size < msglen) {
if (cp->Sendid.size > 0)
free(cp->Sendid.data);
- if (msglen > MAXHEADERSIZE)
+ if (msglen > MED_BUFFER)
cp->Sendid.size = msglen;
else
- cp->Sendid.size = MAXHEADERSIZE;
+ cp->Sendid.size = MED_BUFFER;
cp->Sendid.data = xmalloc(cp->Sendid.size);
}
snprintf(cp->Sendid.data, cp->Sendid.size, "%d %.200s",
@@ -1762,10 +1762,10 @@
if (cp->Sendid.size < msglen) {
if (cp->Sendid.size > 0)
free(cp->Sendid.data);
- if (msglen > MAXHEADERSIZE)
+ if (msglen > MED_BUFFER)
cp->Sendid.size = msglen;
else
- cp->Sendid.size = MAXHEADERSIZE;
+ cp->Sendid.size = MED_BUFFER;
cp->Sendid.data = xmalloc(cp->Sendid.size);
}
if (!IsValidMessageID(cp->av[1], false)) {
@@ -1912,10 +1912,10 @@
if (cp->Sendid.size < msglen) {
if (cp->Sendid.size > 0)
free(cp->Sendid.data);
- if (msglen > MAXHEADERSIZE)
+ if (msglen > MED_BUFFER)
cp->Sendid.size = msglen;
else
- cp->Sendid.size = MAXHEADERSIZE;
+ cp->Sendid.size = MED_BUFFER;
cp->Sendid.data = xmalloc(cp->Sendid.size);
}
/* Save ID for later NACK or ACK. */
Modified: innd/python.c
===================================================================
--- innd/python.c 2010-07-11 09:28:55 UTC (rev 9083)
+++ innd/python.c 2010-07-17 08:28:37 UTC (rev 9084)
@@ -340,9 +340,9 @@
size = end - ngp->Rest;
/* If an alias is longer than this, active is probably broken. */
- if (size > MAXHEADERSIZE) {
+ if (size > MED_BUFFER) {
syslog(L_ERROR, "too-long flag field in active for %s", newsgroup);
- size = MAXHEADERSIZE;
+ size = MED_BUFFER;
}
return PyString_FromStringAndSize(ngp->Rest, size);
Modified: storage/ovdb/ovdb.c
===================================================================
--- storage/ovdb/ovdb.c 2010-07-11 09:28:55 UTC (rev 9083)
+++ storage/ovdb/ovdb.c 2010-07-17 08:28:37 UTC (rev 9084)
@@ -1719,7 +1719,7 @@
&& !(gi.status & GROUPINFO_EXPIRING)
&& !(gi.status & GROUPINFO_MOVING)) {
int s, c = 0;
- char g[MAXHEADERSIZE];
+ char g[MED_BUFFER];
strlcpy(g, group, sizeof(g));
s = strlen(g) + 1;
Modified: tests/data/articles/5
===================================================================
(Binary files differ)
Modified: tests/data/articles/bad-long-cont
===================================================================
--- tests/data/articles/bad-long-cont 2010-07-11 09:28:55 UTC (rev 9083)
+++ tests/data/articles/bad-long-cont 2010-07-17 08:28:37 UTC (rev 9084)
@@ -2,11 +2,11 @@
Newsgroups: example.test
Subject: Article with too long of a header
T: Testing
- aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
+ aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaa
Testing
From: user at example.com
Date: Sat, 06 Mar 2004 21:39:44 -0800
Message-ID: <bad-long-header at example.com>
Xref: news.example.com example.test:1
-This is an article with a header continuation line exceeding MAXHEADERSIZE.
+This is an article with a header continuation line exceeding MAXARTLINELENGTH.
Modified: tests/data/articles/bad-long-hdr
===================================================================
--- tests/data/articles/bad-long-hdr 2010-07-11 09:28:55 UTC (rev 9083)
+++ tests/data/articles/bad-long-hdr 2010-07-17 08:28:37 UTC (rev 9084)
@@ -1,10 +1,10 @@
Path: news.example.com!not-for-mail
Newsgroups: example.test
Subject: Article with too long of a header
-T: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
+T: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaa
From: user at example.com
Date: Sat, 06 Mar 2004 21:39:44 -0800
Message-ID: <bad-long-header at example.com>
Xref: news.example.com example.test:1
-This is an article with a header line exceeding MAXHEADERSIZE.
+This is an article with a header line exceeding MAXARTLINELENGTH.
Modified: tests/innd/artparse-t.c
===================================================================
--- tests/innd/artparse-t.c 2010-07-11 09:28:55 UTC (rev 9083)
+++ tests/innd/artparse-t.c 2010-07-17 08:28:37 UTC (rev 9084)
@@ -37,9 +37,9 @@
{ "../data/articles/bad-hdr-trunc",
"437 No colon-space in \"Test:\" header" },
{ "../data/articles/bad-long-cont",
- "437 Header line too long (1025 bytes)" },
+ "437 Header line too long (1001 bytes)" },
{ "../data/articles/bad-long-hdr",
- "437 Header line too long (1025 bytes)" },
+ "437 Header line too long (1001 bytes)" },
{ "../data/articles/bad-no-body",
"437 No body" },
{ "../data/articles/bad-no-header",
More information about the inn-committers
mailing list