inn-workers Digest, Vol 52, Issue 3

[inn-workers-request]

Send inn-workers mailing list submissions to
        inn-workers@lists.isc.org

To subscribe or unsubscribe via the World Wide Web, visit
        https://lists.isc.org/mailman/listinfo/inn-workers
or, via email, send a message with subject or body 'help' to
        inn-workers-requ...@lists.isc.org

You can reach the person managing the list at
        inn-workers-ow...@lists.isc.org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of inn-workers digest..."


Today's Topics:

   1. Re: inn-2.5.3 bug report (Julien ?LIE)


----------------------------------------------------------------------

Message: 1
Date: Sat, 15 Jun 2013 18:27:48 +0200
From: Julien ?LIE <jul...@trigofacile.com>
To: inn-workers@lists.isc.org
Subject: Re: inn-2.5.3 bug report
Message-ID: <51bc9604.9040...@trigofacile.com>
Content-Type: text/plain; charset=ISO-8859-1

Hi David,

> I just ran the static analyser "cppcheck" over the source code of
> inn-2.5.3 It said, amongst other things

Could you please send to the inn-workers mailing-list the other
things reported by your code analysis?  It may be worthwhile having
a look at it.



> [imap_connection.c:2386]: (error) Buffer is accessed out of bounds.
> 
> Offending source code is
> 
>      sprintf(cxn->imap_currentTag,"%06d",cxn->imap_tag_num);
> 
> and
> 
>      char imap_currentTag[IMAP_TAGLENGTH];
> 
> and
> 
> #define IMAP_TAGLENGTH 6
> 
> sprintf writes a trailing zero byte, so 6 + 1 into 6 won't go. Suggest
> code rework.

Thanks for this bug report.
I believe the following patch fixes the issue.

Index: innfeed/imap_connection.c
===================================================================
--- innfeed/imap_connection.c   (r?vision 9475)
+++ innfeed/imap_connection.c   (copie de travail)
@@ -343,7 +343,7 @@
     int imap_disconnects;
     char *imap_tofree_str;
 
-    char imap_currentTag[IMAP_TAGLENGTH];
+    char imap_currentTag[IMAP_TAGLENGTH+1];
     int  imap_tag_num;
 
     /* Timer for the max amount of time to wait for a response from the
@@ -2383,7 +2383,7 @@
 
 static void imap_GetTag(connection_t *cxn)
 {
-    sprintf(cxn->imap_currentTag,"%06d",cxn->imap_tag_num);
+    snprintf(cxn->imap_currentTag, IMAP_TAGLENGTH+1, "%06d", 
cxn->imap_tag_num);
     cxn->imap_tag_num++;
     if (cxn->imap_tag_num >= 999999)
     {





-- 
Julien ?LIE

? Aliud est celare, aliud tacere. ?


------------------------------

_______________________________________________
inn-workers mailing list
inn-workers@lists.isc.org
https://lists.isc.org/mailman/listinfo/inn-workers

End of inn-workers Digest, Vol 52, Issue 3
******************************************