innd crashing in -current
Russ Allbery
rra at stanford.edu
Wed Feb 7 07:30:09 UTC 2001
Alex Kiernan <alexk at demon.net> writes:
> I think I've got art.c overrunning a buffer & core dumping at the
> strcpy in FileGlue:
Try this:
--- art.c 2001/02/07 03:02:21 1.161
+++ art.c 2001/02/07 07:28:26
@@ -1239,7 +1239,8 @@
/* Nip off the first word into lowercase. */
strncpy(ControlWord, HDR(_control), sizeof ControlWord);
- for (p = ControlWord; *p && !ISWHITE(*p); p++)
+ ControlWord[sizeof(ControlWord) - 1] = '\0';
+ for (p = ControlWord; *p && !CTYPE(isspace, *p); p++)
if (CTYPE(isupper, *p))
*p = tolower(*p);
if (*p)
I'm still pretty unconvinced that code is working, though; it looks like
it's making a lot of assumptions about header values being nul-terminated,
when (if I follow the code correctly) they no longer are. Plus, it's
modifying things in-place, like the Control header, and it looks like that
may be a live copy of the article (?) which could mean article corruption.
I think the right thing to do is to just rip out all the old control
message processing entirely and require that people use controlchan if
they want to process control messages.
--
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the inn-workers
mailing list