Here comes the diff - but again i cannot compile it under windows and therefore
i never compiled it :-(
If uses spprintf instead of s/n)printf where appropriate and uses a buffer
on stack for
chunked data instead of a static buffer.
marcus
cvs -z3 -q diff -w win32\sendmail.c (in directory S:\php4\)
Index: win32/sendmail.c
===================================================================
RCS file: /repository/php4/win32/sendmail.c,v
retrieving revision 1.44
diff -u -w -r1.44 sendmail.c
--- win32/sendmail.c 14 Jun 2002 05:42:08 -0000 1.44
+++ win32/sendmail.c 22 Jun 2002 13:25:18 -0000
@@ -63,7 +63,6 @@
}
#ifndef THREAD_SAFE
-char Buffer[MAIL_BUFFER_SIZE];
/* socket related data */
SOCKET sc;
@@ -341,6 +340,7 @@
// Author/Date: jcar 20/9/96
// History:
//*******************************************************************/
+#define CHUNK_BUFFER_SIZE 1024
int SendText(char *RPath, char *Subject, char *mailTo, char *data, char
*headers, char *headers_lc, char **error_message)
{
int res, i;
@@ -348,6 +348,8 @@
char *tempMailTo, *token, *pos1, *pos2;
char *server_response = NULL;
char *stripped_header = NULL;
+ char *Buffer;
+ char ChunkBuffer[CHUNK_BUFFER_SIZE+1];
/* check for NULL parameters */
if (data == NULL)
@@ -366,23 +368,33 @@
return (BAD_MSG_DESTINATION);
*/
- sprintf(Buffer, "HELO %s\r\n", LocalHost);
+ spprintf(&Buffer, 0, "HELO %s\r\n", LocalHost);
+ if (!Buffer)
+ return OUT_OF_MEMORY;
/* in the beggining of the dialog */
/* attempt reconnect if the first Post fail */
if ((res = Post(Buffer)) != SUCCESS) {
MailConnect();
- if ((res = Post(Buffer)) != SUCCESS)
+ if ((res = Post(Buffer)) != SUCCESS) {
+ efree(Buffer);
return (res);
}
+ }
+ efree(Buffer);
if ((res = Ack(&server_response)) != SUCCESS) {
SMTP_ERROR_RESPONSE(server_response);
return (res);
}
- snprintf(Buffer, MAIL_BUFFER_SIZE, "MAIL FROM:<%s>\r\n", RPath);
- if ((res = Post(Buffer)) != SUCCESS)
+ spprintf(&Buffer, 0, "MAIL FROM:<%s>\r\n", RPath);
+ if (!Buffer)
+ return OUT_OF_MEMORY;
+ if ((res = Post(Buffer)) != SUCCESS) {
+ efree(Buffer);
return (res);
+ }
+ efree(Buffer);
if ((res = Ack(&server_response)) != SUCCESS) {
SMTP_ERROR_RESPONSE(server_response);
return W32_SM_SENDMAIL_FROM_MALFORMED;
@@ -394,11 +406,15 @@
token = strtok(tempMailTo, ",");
while(token != NULL)
{
- snprintf(Buffer, MAIL_BUFFER_SIZE, "RCPT TO:<%s>\r\n", token);
+ spprintf(&Buffer, 0, "RCPT TO:<%s>\r\n", token);
+ if (!Buffer)
+ return OUT_OF_MEMORY;
if ((res = Post(Buffer)) != SUCCESS) {
efree(tempMailTo);
+ efree(Buffer);
return (res);
}
+ efree(Buffer);
if ((res = Ack(&server_response)) != SUCCESS) {
SMTP_ERROR_RESPONSE(server_response);
efree(tempMailTo);
@@ -426,9 +442,14 @@
token = strtok(tempMailTo, ",");
while(token != NULL)
{
- sprintf(Buffer, "RCPT TO:<%s>\r\n", token);
- if ((res = Post(Buffer)) != SUCCESS)
+ spprintf(&Buffer, 0, "RCPT TO:<%s>\r\n", token);
+ if (!Buffer)
+ return OUT_OF_MEMORY;
+ if ((res = Post(Buffer)) != SUCCESS) {
+ efree(Buffer);
return (res);
+ }
+ efree(Buffer);
if ((res = Ack(&server_response)) != SUCCESS) {
SMTP_ERROR_RESPONSE(server_response);
return (res);
@@ -460,10 +481,14 @@
token = strtok(tempMailTo, ",");
while(token != NULL)
{
- sprintf(Buffer, "RCPT TO:<%s>\r\n", token);
+ spprintf(&Buffer, 0, "RCPT TO:<%s>\r\n",
token);
+ if (!Buffer)
+ return OUT_OF_MEMORY;
if ((res = Post(Buffer)) != SUCCESS) {
+ efree(Buffer);
return (res);
}
+ efree(Buffer);
if ((res = Ack(&server_response)) !=
SUCCESS) {
SMTP_ERROR_RESPONSE(server_response);
return (res);
@@ -525,7 +550,7 @@
/* send message contents in 1024 chunks */
- if (strlen(data) <= 1024) {
+ if (strlen(data) <= CHUNK_BUFFER_SIZE) {
if ((res = Post(data)) != SUCCESS)
return (res);
} else {
@@ -533,18 +558,18 @@
while (1) {
if (*p == '\0')
break;
- if (strlen(p) >= 1024)
- i = 1024;
+ if (strlen(p) >= CHUNK_BUFFER_SIZE)
+ i = CHUNK_BUFFER_SIZE;
else
i = strlen(p);
/* put next chunk in buffer */
- strncpy(Buffer, p, i);
- Buffer[i] = '\0';
+ strncpy(ChunkBuffer, p, i);
+ ChunkBuffer[i] = '\0';
p += i;
/* send chunk */
- if ((res = Post(Buffer)) != SUCCESS)
+ if ((res = Post(ChunkBuffer)) != SUCCESS)
return (res);
}
}
At 11:35 11.06.2002, you wrote:
>Why not using spprintf which does not require to allocate the buffer before
>calling the function?
>
>marcus
>
>At 00:10 03.06.2002, Markus Fischer wrote:
>>mfischer Sun Jun 2 18:10:25 2002 EDT
>>
>> Modified files:
>> /php4/win32 sendmail.c
>> Log:
>> - Try to fix most of the buffer overflows and dynamically allocate
>> memory where
>> applicable.
>>
>>
>>Index: php4/win32/sendmail.c
>>diff -u php4/win32/sendmail.c:1.35 php4/win32/sendmail.c:1.36
>>--- php4/win32/sendmail.c:1.35 Sun Jun 2 13:13:48 2002
>>+++ php4/win32/sendmail.c Sun Jun 2 18:10:25 2002
>>@@ -17,7 +17,7 @@
>> *
>> */
>>
>>-/* $Id: sendmail.c,v 1.35 2002/06/02 17:13:48 mfischer Exp $ */
>>+/* $Id: sendmail.c,v 1.36 2002/06/02 22:10:25 mfischer Exp $ */
(...)
