Crash of inn 2.5.1pre r8634 in the keywords code
Russ Allbery
rra at stanford.edu
Tue Sep 29 20:27:36 UTC 2009
Nix <nix at esperi.org.uk> writes:
> So I upgraded my ancient INN 1.7.1 to 2.5.1pre on Sunday... and last
> night it coredumped just after midnight. It seems to have died inside
> the keywords code, which is odd, 'cos I've done a total overview rebuild
> of this entire news server (several million articles) and it never
> crashed then. So this could be a sign of something deeper. (I'm not
> actually using the keywords yet, but expect to use them soon.)
We're not passing a nul-terminated string into KEYgenerate. This has
probably been broken since some code restructuring for article handling in
the 2.5 development series. We don't test keyword generation very well.
Try this:
Index: innd/keywords.c
===================================================================
--- innd/keywords.c (revision 8641)
+++ innd/keywords.c (working copy)
@@ -26,7 +26,8 @@
#if !DO_KEYWORDS
void
KEYgenerate(HDRCONTENT *header UNUSED, const char *body UNUSED,
- const char *orig UNUSED, size_t length UNUSED)
+ size_t bodylen UNUSED, const char *orig UNUSED,
+ size_t length UNUSED)
{
}
@@ -89,13 +90,14 @@
void
KEYgenerate(
- HDRCONTENT *hc, /* header data */
- const char *body, /* article body */
- const char *v, /* old kw value */
- size_t l) /* old kw length */
+ HDRCONTENT *hc, /* header data */
+ const char *body, /* article body */
+ size_t bodylen, /* article body length */
+ const char *v, /* old kw value */
+ size_t l) /* old kw length */
{
- int word_count, word_length, bodylen, word_index, distinct_words;
+ int word_count, word_length, word_index, distinct_words;
int last;
char *text, *orig_text, *text_end, *this_word, *chase, *punc;
static struct word_entry *word_vec;
@@ -145,11 +147,14 @@
* now figure acceptable extents, and copy body to working string.
* (Memory-intensive for hefty articles: limit to non-ABSURD articles.)
*/
- bodylen = strlen(body);
if ((bodylen < 100) || (bodylen > innconf->keyartlimit)) /* too small/big to bother */
return;
- orig_text = text = xstrdup(body); /* orig_text is for free() later on */
+ /* Nul-terminate the body. orig_text will be freed later. */
+ orig_text = xmalloc(bodylen + 1);
+ memcpy(orig_text, body, bodylen);
+ orig_text[bodylen] = '\0';
+ text = orig_text;
text_end = text + bodylen;
Index: innd/art.c
===================================================================
--- innd/art.c (revision 8641)
+++ innd/art.c (working copy)
@@ -1886,7 +1886,7 @@
key_old_value = HDR(HDR__KEYWORDS);
key_old_length = HDR_LEN(HDR__KEYWORDS);
KEYgenerate(&hc[HDR__KEYWORDS], cp->In.data + data->Body,
- key_old_value, key_old_length);
+ cp->Next - data->Body, key_old_value, key_old_length);
}
}
Index: innd/innd.h
===================================================================
--- innd/innd.h (revision 8641)
+++ innd/innd.h (working copy)
@@ -744,7 +744,7 @@
extern void CCclose(void);
extern void CCsetup(void);
-extern void KEYgenerate(HDRCONTENT *, const char *body,
+extern void KEYgenerate(HDRCONTENT *, const char *body, size_t,
const char *orig, size_t length);
extern void LCclose(void);
--
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
Please send questions to the list rather than mailing me directly.
<http://www.eyrie.org/~eagle/faqs/questions.html> explains why.
More information about the inn-workers
mailing list