cant store article: bogus Xref: header in INN 2.5 ?

Julien ÉLIE julien at trigofacile.com
Fri Sep 2 17:27:15 UTC 2011


Hi Matija,

> I've replaced CrackXref() for Debian Squeeeze INN 2.5.2-2~squeeze1,
> but it broke horribly.

I am terribly sorry.  It is also what I have discovered in my news 
server this evening, coming back home.


> I do not know if it is related to this patch

Yes it is.

The problem is that I thought CrackXref() was given a pointer to a 
string (the Xref: header field value).  It appears that it is a pointer 
inside the article, without boundaries after the end of the Xref: header 
field.  With skip_fws(), we reach the start of the body (as Xref: is 
usually the last header).



> I backed up to Debian version until I can investigate more next week.

I have a new patch.
I will post it tomorrow, after having checked that everything is all 
right.  Sorry for having suggested you a broken patch yesterday.






I see that we have other parsing issues in the same file.
For instance again the Xref: header field, where tabs are not checked. 
Neither are folding whitespace.

             if (innconf->storeonxref) {
                 /* skip path element */
                 if ((xrefhdr = strchr(xrefhdr, ' ')) == NULL) {
                     art->groups = NULL;
                     art->groupslen = 0;
                 } else {
                     for (xrefhdr++; *xrefhdr == ' '; xrefhdr++);
                     art->groups = xrefhdr;
                     for (p = xrefhdr ; (*p != '\n') && (*p != '\r') ;
                          p++);
                     art->groupslen = p - xrefhdr;
                 }
             }

             and otherwise the Newsgroups: header field...



Implementing RFC 5536 will require a thorough check of many functions in 
the source code.

-- 
Julien ÉLIE

« Corruptissima republica plurimae leges. »



More information about the inn-workers mailing list