BUG in art.c:2284 ARTpost() causes core

N niels at bakker.net
Fri Nov 19 12:23:32 UTC 1999


Miquel van Smoorenburg wrote:

> Yes the code looks that way, but there's a bit more to it. Look at
> a gdb strace of a crashed innd:
> 
> #0  0x8067362 in MaxLength (p=0x0, q=0x0) at innd.c:134
> 134         i = strlen(p);
> (gdb) up
> #1  0x805f582 in ARTpost (cp=0x401be108) at art.c:2133
> 2133                (void)sprintf(buff, "%d Unwanted distribution \"%s\"",
> (gdb) l
> 2128        distributions = *p ? CommaSplit(p) : NULL;
> 2129        if (distributions) {
> 2130            DISTparse(distributions, &Data);
> 2131            if (ME.Distributions
> 2132             && !DISTwantany(ME.Distributions, distributions)) {
> 2133                (void)sprintf(buff, "%d Unwanted distribution \"%s\"",
> 2134                        NNTP_REJECTIT_VAL,
> 2135                        MaxLength(distributions[0], distributions[0]));
> 2136                ARTlog(&Data, ART_REJECT, buff);
> 2137                if (innconf->remembertrash && (Mode == OMrunning) &&
> (gdb) print distributions[0]
> $1 = 0x0
> 
> As you can see distributions[0] is most certainly NULL, and dereferencing
> it as *distributions[0] will cause a coredump.
> 
> In fact that is WHY innd crashed in the first place; the dereference
> of distributions[0] in the sprintf() ...

In fact it was calling strlen() on it.  Libc's printf of most platforms
just outputs (null) instead of coring.  FreeBSD, Linux and IRIX live,
SunOS 5.x dies.

The article that caught me was <942925094.1792snx at wang.pc.my>, apparently
containing Distribution: \r\n as `print Data' in gdb shows.


	-- Niels.



More information about the inn-workers mailing list