Send inn-workers mailing list submissions to
[email protected]
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.isc.org/mailman/listinfo/inn-workers
or, via email, send a message with subject or body 'help' to
[email protected]
You can reach the person managing the list at
[email protected]
When replying, please edit your Subject line so it is more specific
than "Re: Contents of inn-workers digest..."
Today's Topics:
1. use of strlcpy on overlapping source and destination
(Florian Schlichting)
2. Re: use of strlcpy on overlapping source and destination
(Florian Schlichting)
----------------------------------------------------------------------
Message: 1
Date: Wed, 15 Jan 2014 18:09:09 +0100
From: Florian Schlichting <[email protected]>
To: [email protected]
Subject: use of strlcpy on overlapping source and destination
Message-ID: <[email protected]>
Content-Type: text/plain; charset=us-ascii
Hi Julien,
a little while back we had an issue where a user was denied posting with
"address not in Internet syntax" while using a From address of the form
[email protected]. Debugging revealed that nnrpd copies a buffer into itself to
look at the part behind the "@", and for very specific inputs on an old
version of nnrpd that still uses strcpy (and our particular libc), the
result did not contain the dot separating the top-level domain any more.
I'm unable to provide a working test case on current versions of nnrpd,
but the From address check still copies overlapping parts of a buffer
using strlcpy (and in INNs replacement implementation, memcpy), which
can lead to undefined results. Fortunately the fix is easy, as making a
copy is actually unnecessary (frombuf is not used later on):
--- a/nnrpd/post.c
+++ b/nnrpd/post.c
@@ -1090,8 +1090,7 @@ ARTpost(char *article, char *idbuff, bool ihave, bool
*permanent)
HeaderCleanFrom(frombuf);
p = strchr(frombuf, '@');
if (p) {
- strlcpy(frombuf, p+1, sizeof(frombuf));
- p = strrchr(frombuf, '.');
+ p = strrchr(p+1, '.');
if (!p) {
if (modgroup)
free(modgroup);
I couldn't find any similar uses of strlcpy on overlapping source and
destination in nnrpd/post.c, but haven't looked further.
While testing, it occurred to me that the From address check could
easily be improved to check for the existence of at least one character
before the '@' (more checks are certainly possible, but better left to
the posting filter...):
--- a/nnrpd/post.c
+++ b/nnrpd/post.c
@@ -1088,7 +1088,7 @@ ARTpost(char *article, char *idbuff, bool ihave, bool
*permanent)
else
*p++ = ' ';
HeaderCleanFrom(frombuf);
- p = strchr(frombuf, '@');
+ p = strchr(frombuf+1, '@');
if (p) {
p = strrchr(p+1, '.');
if (!p) {
Florian
------------------------------
Message: 2
Date: Wed, 15 Jan 2014 18:52:08 +0100
From: Florian Schlichting <[email protected]>
To: [email protected]
Subject: Re: use of strlcpy on overlapping source and destination
Message-ID: <[email protected]>
Content-Type: text/plain; charset=us-ascii
On Wed, Jan 15, 2014 at 06:09:09PM +0100, Florian Schlichting wrote:
> While testing, it occurred to me that the From address check could
> easily be improved to check for the existence of at least one character
> before the '@' (more checks are certainly possible, but better left to
> the posting filter...):
>
>
> --- a/nnrpd/post.c
> +++ b/nnrpd/post.c
> @@ -1088,7 +1088,7 @@ ARTpost(char *article, char *idbuff, bool ihave, bool
> *permanent)
> else
> *p++ = ' ';
> HeaderCleanFrom(frombuf);
> - p = strchr(frombuf, '@');
> + p = strchr(frombuf+1, '@');
> if (p) {
> p = strrchr(p+1, '.');
> if (!p) {
sent the mail, left the office and thought: ah, what if frombuf at that
point is an empty string? So maybe not so easy. Better scrap that part.
Florian
------------------------------
_______________________________________________
inn-workers mailing list
[email protected]
https://lists.isc.org/mailman/listinfo/inn-workers
End of inn-workers Digest, Vol 59, Issue 1
******************************************
