Unitialised reads in innd (current from this morning)

Kiernan, Alex alexk at demon.net
Thu Feb 15 16:01:27 UTC 2001


> } Looks like a buffer overrun, the core dump is completely trashed.
> :
> } 	ARTcontrol     [art.c:1248]
> } 	ARTpost        [art.c:2696]
> 
> I think all of known bugs are fixed.  Your code is a bit old.
> Current line 2696 in art.c calls SITEsend().  Could you update?

Sorry, I'd forgotten I was running from my modified code with the history
API in it, which is current with whats in CVS. art.c:2696 is a call to
ARTcancel in that code I have:

art.c:1248
  for (p = ControlWord; *p && !ISWHITE(*p); p++)
    if (CTYPE(isupper, *p))
      *p = tolower(*p);
  if (*p)
    *p++ = '\0';

I'll roll it back to straight -current & leave it running overnight to see
if it dies again.

Later... art.c:1245 (straight from CVS this time!), looks like it could be
the problem - if the length of HDR(HDR__CONTROL) is >= SMBUF then
ControlWord won't get null terminated by the strncpy() there.

-- 
Alex Kiernan, Principal Engineer, Development, Thus PLC


More information about the inn-workers mailing list