innd crashing in -current

Russ Allbery rra at stanford.edu
Wed Feb 7 07:30:09 UTC 2001


Alex Kiernan <alexk at demon.net> writes:

> I think I've got art.c overrunning a buffer & core dumping at the
> strcpy in FileGlue:

Try this:

--- art.c       2001/02/07 03:02:21     1.161
+++ art.c       2001/02/07 07:28:26
@@ -1239,7 +1239,8 @@
 
   /* Nip off the first word into lowercase. */
   strncpy(ControlWord, HDR(_control), sizeof ControlWord);
-  for (p = ControlWord; *p && !ISWHITE(*p); p++)
+  ControlWord[sizeof(ControlWord) - 1] = '\0';
+  for (p = ControlWord; *p && !CTYPE(isspace, *p); p++)
     if (CTYPE(isupper, *p))
       *p = tolower(*p);
   if (*p)

I'm still pretty unconvinced that code is working, though; it looks like
it's making a lot of assumptions about header values being nul-terminated,
when (if I follow the code correctly) they no longer are.  Plus, it's
modifying things in-place, like the Control header, and it looks like that
may be a live copy of the article (?) which could mean article corruption.

I think the right thing to do is to just rip out all the old control
message processing entirely and require that people use controlchan if
they want to process control messages.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>


More information about the inn-workers mailing list