Hi,
I hope someone can properly test this patch, I'm currently
too short on time for it (and with properly testing I really
mean it that way, not just by calling mail() ....)
- Markus
On Sat, Jun 22, 2002 at 03:29:30PM +0200, Marcus B�rger wrote :
> Here comes the diff - but again i cannot compile it under windows and
> therefore
> i never compiled it :-(
> If uses spprintf instead of s/n)printf where appropriate and uses a buffer
> on stack for
> chunked data instead of a static buffer.
>
> marcus
>
> cvs -z3 -q diff -w win32\sendmail.c (in directory S:\php4\)
> Index: win32/sendmail.c
> ===================================================================
> RCS file: /repository/php4/win32/sendmail.c,v
> retrieving revision 1.44
> diff -u -w -r1.44 sendmail.c
> --- win32/sendmail.c 14 Jun 2002 05:42:08 -0000 1.44
> +++ win32/sendmail.c 22 Jun 2002 13:25:18 -0000
> @@ -63,7 +63,6 @@
> }
>
> #ifndef THREAD_SAFE
> -char Buffer[MAIL_BUFFER_SIZE];
>
> /* socket related data */
> SOCKET sc;
> @@ -341,6 +340,7 @@
> // Author/Date: jcar 20/9/96
> // History:
> //*******************************************************************/
> +#define CHUNK_BUFFER_SIZE 1024
> int SendText(char *RPath, char *Subject, char *mailTo, char *data, char
> *headers, char *headers_lc, char **error_message)
> {
> int res, i;
> @@ -348,6 +348,8 @@
> char *tempMailTo, *token, *pos1, *pos2;
> char *server_response = NULL;
> char *stripped_header = NULL;
> + char *Buffer;
> + char ChunkBuffer[CHUNK_BUFFER_SIZE+1];
>
> /* check for NULL parameters */
> if (data == NULL)
> @@ -366,23 +368,33 @@
> return (BAD_MSG_DESTINATION);
> */
>
> - sprintf(Buffer, "HELO %s\r\n", LocalHost);
> + spprintf(&Buffer, 0, "HELO %s\r\n", LocalHost);
> + if (!Buffer)
> + return OUT_OF_MEMORY;
>
> /* in the beggining of the dialog */
> /* attempt reconnect if the first Post fail */
> if ((res = Post(Buffer)) != SUCCESS) {
> MailConnect();
> - if ((res = Post(Buffer)) != SUCCESS)
> + if ((res = Post(Buffer)) != SUCCESS) {
> + efree(Buffer);
> return (res);
> }
> + }
> + efree(Buffer);
> if ((res = Ack(&server_response)) != SUCCESS) {
> SMTP_ERROR_RESPONSE(server_response);
> return (res);
> }
>
> - snprintf(Buffer, MAIL_BUFFER_SIZE, "MAIL FROM:<%s>\r\n", RPath);
> - if ((res = Post(Buffer)) != SUCCESS)
> + spprintf(&Buffer, 0, "MAIL FROM:<%s>\r\n", RPath);
> + if (!Buffer)
> + return OUT_OF_MEMORY;
> + if ((res = Post(Buffer)) != SUCCESS) {
> + efree(Buffer);
> return (res);
> + }
> + efree(Buffer);
> if ((res = Ack(&server_response)) != SUCCESS) {
> SMTP_ERROR_RESPONSE(server_response);
> return W32_SM_SENDMAIL_FROM_MALFORMED;
> @@ -394,11 +406,15 @@
> token = strtok(tempMailTo, ",");
> while(token != NULL)
> {
> - snprintf(Buffer, MAIL_BUFFER_SIZE, "RCPT TO:<%s>\r\n",
> token);
> + spprintf(&Buffer, 0, "RCPT TO:<%s>\r\n", token);
> + if (!Buffer)
> + return OUT_OF_MEMORY;
> if ((res = Post(Buffer)) != SUCCESS) {
>
> efree(tempMailTo);
> + efree(Buffer);
> return (res);
>
> }
> + efree(Buffer);
> if ((res = Ack(&server_response)) != SUCCESS) {
> SMTP_ERROR_RESPONSE(server_response);
>
> efree(tempMailTo);
> @@ -426,9 +442,14 @@
> token = strtok(tempMailTo, ",");
> while(token != NULL)
> {
> - sprintf(Buffer, "RCPT TO:<%s>\r\n", token);
> - if ((res = Post(Buffer)) != SUCCESS)
> + spprintf(&Buffer, 0, "RCPT TO:<%s>\r\n", token);
> + if (!Buffer)
> + return OUT_OF_MEMORY;
> + if ((res = Post(Buffer)) != SUCCESS) {
> + efree(Buffer);
> return (res);
> + }
> + efree(Buffer);
> if ((res = Ack(&server_response)) != SUCCESS) {
> SMTP_ERROR_RESPONSE(server_response);
> return (res);
> @@ -460,10 +481,14 @@
> token = strtok(tempMailTo, ",");
> while(token != NULL)
> {
> - sprintf(Buffer, "RCPT TO:<%s>\r\n", token);
> + spprintf(&Buffer, 0, "RCPT TO:<%s>\r\n",
> token);
> + if (!Buffer)
> + return OUT_OF_MEMORY;
> if ((res = Post(Buffer)) != SUCCESS) {
> + efree(Buffer);
> return (res);
> }
> + efree(Buffer);
> if ((res = Ack(&server_response)) !=
> SUCCESS) {
> SMTP_ERROR_RESPONSE(server_response);
> return (res);
> @@ -525,7 +550,7 @@
>
>
> /* send message contents in 1024 chunks */
> - if (strlen(data) <= 1024) {
> + if (strlen(data) <= CHUNK_BUFFER_SIZE) {
> if ((res = Post(data)) != SUCCESS)
> return (res);
> } else {
> @@ -533,18 +558,18 @@
> while (1) {
> if (*p == '\0')
> break;
> - if (strlen(p) >= 1024)
> - i = 1024;
> + if (strlen(p) >= CHUNK_BUFFER_SIZE)
> + i = CHUNK_BUFFER_SIZE;
> else
> i = strlen(p);
>
> /* put next chunk in buffer */
> - strncpy(Buffer, p, i);
> - Buffer[i] = '\0';
> + strncpy(ChunkBuffer, p, i);
> + ChunkBuffer[i] = '\0';
> p += i;
>
> /* send chunk */
> - if ((res = Post(Buffer)) != SUCCESS)
> + if ((res = Post(ChunkBuffer)) != SUCCESS)
> return (res);
> }
> }
>
>
> At 11:35 11.06.2002, you wrote:
> >Why not using spprintf which does not require to allocate the buffer before
> >calling the function?
> >
> >marcus
> >
> >At 00:10 03.06.2002, Markus Fischer wrote:
> >>mfischer Sun Jun 2 18:10:25 2002 EDT
> >>
> >> Modified files:
> >> /php4/win32 sendmail.c
> >> Log:
> >> - Try to fix most of the buffer overflows and dynamically allocate
> >>memory where
> >> applicable.
> >>
> >>
> >>Index: php4/win32/sendmail.c
> >>diff -u php4/win32/sendmail.c:1.35 php4/win32/sendmail.c:1.36
> >>--- php4/win32/sendmail.c:1.35 Sun Jun 2 13:13:48 2002
> >>+++ php4/win32/sendmail.c Sun Jun 2 18:10:25 2002
> >>@@ -17,7 +17,7 @@
> >> *
> >> */
> >>
> >>-/* $Id: sendmail.c,v 1.35 2002/06/02 17:13:48 mfischer Exp $ */
> >>+/* $Id: sendmail.c,v 1.36 2002/06/02 22:10:25 mfischer Exp $ */
> (...)
--
GnuPG Key: http://guru.josefine.at/~mfischer/C2272BD0.asc
Did I help you? http://guru.josefine.at/wish_en
Konnte ich helfen? http://guru.josefine.at/wish_de
"uhmm.. the dates in the bug db.. aren't they printed a bit wrong, i mean, did
i miss when we changed to 53 days/month ( +2002-02-53) ? =P - N0v3ll
--
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, visit: http://www.php.net/unsub.php
