Re: segmentation vaiolation in hypermail 2.0b3

From: Daniel Stenberg <Daniel.Stenberg_at_sth.frontec.se_at_hypermail-project.org>
Date: Wed, 9 Sep 1998 23:29:26 +0200 (MET DST)
Message-ID: <Pine.SO4.4.02.9809092312290.12714-100000_at_metal.sth1.frontec.se>


On Wed, 9 Sep 1998, Zvi Har'El wrote:

> ~$ hypermail -p -m ddd.mbox -d .
> Loading mailbox "ddd.mbox"... 1 articles.
> zsh: segmentation fault (core dumped) hypermail -p -m ddd.mbox -d .

I've located the problem.

Once again it is a static buffer overflow. We really *need* to remove them all over. In this case, the convurls() function crashes. There is only one single line in that mail, 1480 bytes big. Hypermail has problems with anything larger than 1024.

convurls() (string.c) is called from the printbody() (print.c) and crashes hard. From what I can see, the rmcr() calls used in print.c will also seriously get into problems.

As I see it, there is a somewhat big change we need to do in hypermail to get this fixed once and for all:

        grep MAXLINE *.c

Now, almost all occurrences need to be removed. Functions that get input from an argument and writes data to a static buffer which it returns NEED to be rewritten to write all output to a reallocated buffer. The buffer should be resized to the fit the output. However large it gets. Any limit is bound to be reached some day otherwise.

 Such functions include convurls(), rmcr(), getreply(), convchars(), parseurl() and parseemail() (even if these last two don't use the MAXLINE #define).

 I didn't do this right away because I'd like to get some discussions around this before I jump head-first into this rather big change in what was hoped to be the last beta before 2.0 release...

--
             Daniel Stenberg - http://www.fts.frontec.se/~dast
   ech`echo xiun|tr nu oc|sed 'sx\([sx]\)\([xoi]\)xo un\2\1 is xg'`ol
Received on Wed 09 Sep 1998 11:33:48 PM GMT

This archive was generated by hypermail 2.2.0 : Thu 22 Feb 2007 07:33:49 PM GMT GMT