inn-2.5.3 bug report
Julien ÉLIE
julien at trigofacile.com
Sat Jun 15 16:27:48 UTC 2013
Hi David,
> I just ran the static analyser "cppcheck" over the source code of
> inn-2.5.3 It said, amongst other things
Could you please send to the inn-workers mailing-list the other
things reported by your code analysis? It may be worthwhile having
a look at it.
> [imap_connection.c:2386]: (error) Buffer is accessed out of bounds.
>
> Offending source code is
>
> sprintf(cxn->imap_currentTag,"%06d",cxn->imap_tag_num);
>
> and
>
> char imap_currentTag[IMAP_TAGLENGTH];
>
> and
>
> #define IMAP_TAGLENGTH 6
>
> sprintf writes a trailing zero byte, so 6 + 1 into 6 won't go. Suggest
> code rework.
Thanks for this bug report.
I believe the following patch fixes the issue.
Index: innfeed/imap_connection.c
===================================================================
--- innfeed/imap_connection.c (révision 9475)
+++ innfeed/imap_connection.c (copie de travail)
@@ -343,7 +343,7 @@
int imap_disconnects;
char *imap_tofree_str;
- char imap_currentTag[IMAP_TAGLENGTH];
+ char imap_currentTag[IMAP_TAGLENGTH+1];
int imap_tag_num;
/* Timer for the max amount of time to wait for a response from the
@@ -2383,7 +2383,7 @@
static void imap_GetTag(connection_t *cxn)
{
- sprintf(cxn->imap_currentTag,"%06d",cxn->imap_tag_num);
+ snprintf(cxn->imap_currentTag, IMAP_TAGLENGTH+1, "%06d", cxn->imap_tag_num);
cxn->imap_tag_num++;
if (cxn->imap_tag_num >= 999999)
{
--
Julien ÉLIE
« Aliud est celare, aliud tacere. »
More information about the inn-workers
mailing list