Thus said Stephen Gildea on Fri, 22 Nov 2024 15:04:04 -0800: > I think I have found the bug. In traverse(), when the buffer is full, > at about popsbr.c line 656, "slen" is the size of "response", so > setting response[slen] to NUL writes one byte beyond the array.
Ok, good find. Now I wonder why I haven't seen this in 2 years of running it. Surely I must have had some line somewhere that caused the buffer to overflow---but then again, maybe this just reveals how uncommon it is for email systems to violate the line length restriction in emails. But I'm also baffled by why running your test-pop against my patch doesn't trigger it here on OpenBSD. Amazingly good catch. And now that I look at my code from what seems an age ago, I'm not sure I like it... too messy. Thanks, Andy
