I noticed on the Modify User page of qmailadmin 1.0.15 and 1.0.20 (i'm
sure it exists in all other versions too as I havent seen anything about
it in the changelog), if you enter a string which is 60+ characters into
the Forward To: box, it creates what seems to be a buffer overflow. For
example if you enter the 2 address's as follow into the Forward To: box:
[EMAIL PROTECTED],
[EMAIL PROTECTED]
Then hit modify and this is whats produced in the Forward To box: [EMAIL PROTECTED], [EMAIL PROTECTED]/home/vpopmail/domains/domain.com/user/.qmail
I checked in the users .qmail file, and the same error does occur.
This is a bug in the qmailadmin source.
One item that has been on my TODO list for the source is to review all of the malloc, memset, GetValue, snprintf and similar function calls to make sure they're using the correct size. I really feel that we should be using sizeof() more often than hard-coding the size of the buffer.
In this case, one variable (box) was declared as a 50-byte string, but the calls to GetValue claimed it was 500 bytes (MAX_BUFF).
I increased it to 500 bytes for the next release, and also changed it to allow for more forwarding addresses (previously, it was limited to 2, now it's 5) based on an old request.
I've cleaned up the GetValue and snprintf calls in user.c, and will probably continue on to the other files. If you want to help out, just make sure that you only replace hard-coded sizes with sizeof when it's referring to an array (and not dynamically allocated memory).
-- Tom Collins [EMAIL PROTECTED]
