Hi. I've been looking at the CVS version of hypermail, and in the process of trying to track down a bug, I ran the code through Purify. I found an unitialized memory read in the latest version (1.3) of getname.c. I don't think it's critical, but I thought I'd point it out.
The actual read error occurs on line 277, in the getname() function:
277 if (name[i-1] == ' ' && *c == '<' || *c == '(')
278 name[--i] = '\0';
279 else
280 name[i] = '\0';
The problem is that the variable i can be zero here, causing a read of name[ -1 ].
This case is triggered when the From line looks like this:
"From: <foo_at_bar.com>\n"
With this input, the first if-clause at line 176 is satisfied:
170 /*
171 * NAME Processing - Boy are there a bunch of funky formats here.
172 * No promises... I'll do my best. Let me know
173 * what I missed...
174 */
175
176 if (strchr(line, '<')) {
177 c = strchr(line, ':') + 1;
178 while (*c == ' ' || *c == '\t')
179 c++;
Then the last case of the nested-if (line 205) is satisfied:
205 else if (*c == '<') { /* Comment may be on the end */
206 /* From: <bill_at_celestial.com> Bill Campbell */
207 c = strchr(line, '>') + 1;
208 for (i = 0, len = NAMESTRLEN - 1; *c && *c != '\n' && i < len;
209 c++)
210 name[i++] = *c;
211
212 comment_fnd = 1;
213 }
Since the next character after the '>' in the From line is a newline, the body of the for-loop isn't executed, and i is zero. Then, comment_fnd is set to 1.
You'll see that the next line that gets executed is 277, and i is still zero.
I don't have a patch, because I've just started looking at the code, and this function is pretty hairy. Hope this helps, though.
-David
David Eisner | E-mail: cradle_at_eng.umd.edu | CALCE EPSC | Phone: 301-405-5341 | University of Maryland | Fax: 301-314-9269 |Received on Wed 11 Apr 2001 11:14:01 PM GMT
-----------------------------------------------------
This archive was generated by hypermail 2.2.0 : Thu 22 Feb 2007 07:33:53 PM GMT GMT