[a.d.stribblehill at durham.ac.uk: Bug#176336: inn fails to post articles]

Marco d'Itri md at Linux.IT
Mon Jan 13 11:56:38 UTC 2003


This has been reported by a debian user, INN version is STABLE 20020922.
Has it already been fixed?

----- Forwarded message from Andrew Stribblehill <a.d.stribblehill at durham.ac.uk> -----

Subject: Bug#176336: inn fails to post articles
Reply-To: Andrew Stribblehill <a.d.stribblehill at durham.ac.uk>,
	176336 at bugs.debian.org
X-Debian-PR-Message: report 176336
X-Debian-PR-Package: inn2
X-Debian-PR-Keywords: help unreproducible moreinfo sid
From: Andrew Stribblehill <a.d.stribblehill at durham.ac.uk>
To: pawel.sokolowski at don.falconne.eu.org, 176336 at bugs.debian.org
Cc: "Marco d'Itri" <md at linux.it>,
	Pawel Sokolowski <falcon at wysocki.lodz.pdi.net>,
	Debian Bug Tracking System <control at bugs.debian.org>

Quoting Pawe? Soko?owski <falcon at don.falconne.eu.org> (2003-01-12 04:27:17 GMT):
> > >post.c:1097 Can't malloc 4294726168 bytes: Cannot allocate memoryConnection closed by foreign host.

I had a similar problem, and patched it as follows:

--- inn2-2.3.3+20020922.orig/nnrpd/post.c
+++ inn2-2.3.3+20020922/nnrpd/post.c
@@ -812,9 +812,11 @@
     /* Write the headers and a blank line. */
     for (hp = Table; hp < ENDOF(Table); hp++)
 	if (hp->Value) {
-	    q = NEW(char, hp->Body - hp->Value + hp->Len + 1);
-	    strncpy(q, hp->Value, hp->Body - hp->Value + hp->Len);
-	    *(q + (int)(hp->Body - hp->Value) + hp->Len) = '\0';
+	  /*	  fprintf(stderr, "hp->Body: %x %s\n", hp->Body, hp->Body);
+	  fprintf(stderr, "hp->Value: %x %s\n", hp->Value, hp->Value);
+	  fprintf(stderr, "hp->Len+1: %d", hp->Len + 1); */
+	    q = NEW(char, strlen(hp->Value) + 1);
+	    strcpy(q, hp->Value);
 	    if (*hp->Value == ' ' || *hp->Value == '\t')
 		(void)fprintf(F, "%s:%s\n", hp->Name, hp->Value);
 	    else
@@ -1094,9 +1097,8 @@
     /* Write the headers and a blank line. */
     for (hp = Table; hp < ENDOF(Table); hp++)
 	if (hp->Value) {
-	    q = NEW(char, hp->Body - hp->Value + hp->Len + 1);
-	    strncpy(q, hp->Value, hp->Body - hp->Value + hp->Len);
-	    *(q + (int)(hp->Body - hp->Value) + hp->Len) = '\0';
+	    q = NEW(char, strlen(hp->Value) + 1);
+	    strcpy(q, hp->Value);
 	    if (strchr(q, '\n') != NULL) {
 		if ((p = Towire(q)) != NULL) {
 		    /* there is no white space, if hp->Value and hp->Body is the same */
@@ -1175,9 +1177,8 @@
 	}
 	for (hp = Table; hp < ENDOF(Table); hp++)
 	    if (hp->Value) {
-		q = NEW(char, hp->Body - hp->Value + hp->Len + 1);
-		strncpy(q, hp->Value, hp->Body - hp->Value + hp->Len);
-		*(q + (int)(hp->Body - hp->Value) + hp->Len) = '\0';
+		q = NEW(char, strlen(hp->Value) + 1);
+		strcpy(q, hp->Value);
 		if (strchr(hp->Value, '\n') != NULL) {
 		    if ((p = Towire(q)) != NULL) {
 			/* there is no white space, if hp->Value and hp->Body is the same */

However, I was building on a composite potato/woody/sid box at the
time and wasn't certain I had a solid enough test-case to hold up.

The basic problem is that the length of two strings is compared with
the assumption that the two 'char *' variables are pointing to the
same string at different places. Actually, one was on the heap and
the other on the stack IIRC.

Get in touch if you feel my explanation to be inadequate!

-- 
Andrew Stribblehill <ads at debian.org>
Systems programmer, IT Service, University of Durham, England

----- End forwarded message -----

-- 
ciao,
Marco


More information about the inn-workers mailing list