In server.c , towards the beginning of pserver_authenticate_connection(), there is the following code which is attempting to determine if a valid authentication request is being made: /* Make sure the protocol starts off on the right foot... */ if (getline (&tmp, &tmp_allocated, stdin) < 0) /* FIXME: what? We could try writing error/eof, but chances are the network connection is dead bidirectionally. log it somewhere? */ ; Unfortunately, getline() imposes no restrictions on the amount of data it will try to get. Thus, a completely unauthenticated remote attacker can connect to a cvs pserver and cause it to allocate memory arbitrarily, since getline() just keeps reallocing as it gets fed data. Fix would be to create a getnline() function that took an additional argument restricting the amount that getline() was prepared to allocate, and use this to impose appropriate restrictions on line length. This is easy to do for the first getnline() - the maximum line length that could be validly sent to us is the length of the string "BEGIN VERIFICATION REQUEST\n" . The next three getline() calls would need more thought, since the maximum length of a repository name, a username, and a password are (presumably) determined by restrictions imposed by the OS on which the server is running. -patrick.