inn-2.5.3 bug report

Julien ÉLIE julien at trigofacile.com
Sat Jun 15 16:27:48 UTC 2013


Hi David,

> I just ran the static analyser "cppcheck" over the source code of
> inn-2.5.3 It said, amongst other things

Could you please send to the inn-workers mailing-list the other
things reported by your code analysis?  It may be worthwhile having
a look at it.



> [imap_connection.c:2386]: (error) Buffer is accessed out of bounds.
> 
> Offending source code is
> 
>      sprintf(cxn->imap_currentTag,"%06d",cxn->imap_tag_num);
> 
> and
> 
>      char imap_currentTag[IMAP_TAGLENGTH];
> 
> and
> 
> #define IMAP_TAGLENGTH 6
> 
> sprintf writes a trailing zero byte, so 6 + 1 into 6 won't go. Suggest
> code rework.

Thanks for this bug report.
I believe the following patch fixes the issue.

Index: innfeed/imap_connection.c
===================================================================
--- innfeed/imap_connection.c	(révision 9475)
+++ innfeed/imap_connection.c	(copie de travail)
@@ -343,7 +343,7 @@
     int imap_disconnects;
     char *imap_tofree_str;
 
-    char imap_currentTag[IMAP_TAGLENGTH];
+    char imap_currentTag[IMAP_TAGLENGTH+1];
     int  imap_tag_num;
 
     /* Timer for the max amount of time to wait for a response from the
@@ -2383,7 +2383,7 @@
 
 static void imap_GetTag(connection_t *cxn)
 {
-    sprintf(cxn->imap_currentTag,"%06d",cxn->imap_tag_num);
+    snprintf(cxn->imap_currentTag, IMAP_TAGLENGTH+1, "%06d", cxn->imap_tag_num);
     cxn->imap_tag_num++;
     if (cxn->imap_tag_num >= 999999)
     {





-- 
Julien ÉLIE

« Aliud est celare, aliud tacere. »


More information about the inn-workers mailing list