BUG in art.c:2284 ARTpost() causes core

Miquel van Smoorenburg list-inn-workers at news.cistron.nl
Fri Nov 19 11:03:30 UTC 1999 

In article <cistron.19991119141515J.kondou at inn.do.mms.mt.nec.co.jp>,
Katsuhiro Kondou  <kondou at nec.co.jp> wrote:
>In article <19991119042108.63479285BE at wawura.off.connect.com.au>,
>	Andrew McNamara <andrewm at connect.com.au> wrote;
>
>} I still don't think this is right - the test should be:
>} 
>} 	if (distributions[0] == NULL)
>} 
>} BUT - the null list comes about as a result of the call to DISTparse(),
>} so the check must occur after this.
>
>CommaSplit() always returns a list of pointers and
>there are two at least including NULL.  And all ','
>in Distribution header are replaced with '\0' in
>CommpaSplit().  This means if it begins with ',',
>*distribution[0] is '\0'.  So, I think it works.

Yes the code looks that way, but there's a bit more to it. Look at
a gdb strace of a crashed innd:

#0  0x8067362 in MaxLength (p=0x0, q=0x0) at innd.c:134
134         i = strlen(p);
(gdb) up
#1  0x805f582 in ARTpost (cp=0x401be108) at art.c:2133
2133                (void)sprintf(buff, "%d Unwanted distribution \"%s\"",
(gdb) l
2128        distributions = *p ? CommaSplit(p) : NULL;
2129        if (distributions) {
2130            DISTparse(distributions, &Data);
2131            if (ME.Distributions
2132             && !DISTwantany(ME.Distributions, distributions)) {
2133                (void)sprintf(buff, "%d Unwanted distribution \"%s\"",
2134                        NNTP_REJECTIT_VAL,
2135                        MaxLength(distributions[0], distributions[0]));
2136                ARTlog(&Data, ART_REJECT, buff);
2137                if (innconf->remembertrash && (Mode == OMrunning) &&
(gdb) print distributions[0]
$1 = 0x0

As you can see distributions[0] is most certainly NULL, and dereferencing
it as *distributions[0] will cause a coredump.

In fact that is WHY innd crashed in the first place; the dereference
of distributions[0] in the sprintf() ...

Mike.
-- 
First things first, but not necessarily in that order.
-- 
The From: and Reply-To: addresses are internal news2mail gateway addresses.
Reply to the list or to miquels at cistron.nl (Miquel van Smoorenburg)

More information about the inn-workers mailing list