[PHP-DEV] Bug #14983 Updated: mail function buffer overflow
ID: 14983
Updated by: [EMAIL PROTECTED]
Reported By: [EMAIL PROTECTED]
Status: Open
Bug Type: Reproducible crash
Operating System: Windows 2000
PHP Version: 4.1.1
New Comment:
what feedback is needed ?
Previous Comments:
[2002-02-02 06:37:30] [EMAIL PROTECTED]
Sorry, reopening.
[2002-02-02 06:35:57] [EMAIL PROTECTED]
No feedback was provided for this bug, so it is being suspended.
If you are able to provide the information that was requested,
please do so and change the status of the bug back to Open.
[2002-01-11 11:31:01] [EMAIL PROTECTED]
Here is the diff.
-Enrico
--- sendmail-old.c Mon Sep 4 18:26:16 2000
+++ sendmail.c Thu Jan 10 20:20:56 2002
@@ -16,6 +16,8 @@
* The complete wSendmail package with source code can be located
* from http://www.jgaa.com
*
+
+ modified by Enrico Demarin Jan 2001
*/
#include php.h /*php specific */
@@ -217,7 +219,7 @@
if (strchr(mailTo, '@') == NULL)
return (BAD_MSG_DESTINATION);
- sprintf(Buffer, HELO %s\r\n, LocalHost);
+ snprintf(Buffer, MAIL_BUFFER_SIZE, HELO %s\r\n, LocalHost);
/* in the beggining of the dialog */
/* attempt reconnect if the first Post fail */
@@ -229,7 +231,7 @@
if ((res = Ack()) != SUCCESS)
return (res);
- sprintf(Buffer, MAIL FROM:%s\r\n, RPath);
+ snprintf(Buffer, MAIL_BUFFER_SIZE,MAIL FROM:%s\r\n, RPath);
if ((res = Post(Buffer)) != SUCCESS)
return (res);
if ((res = Ack()) != SUCCESS)
@@ -242,7 +244,7 @@
token = strtok(tempMailTo, ,);
while(token != NULL)
{
- sprintf(Buffer, RCPT TO:%s\r\n, token);
+ snprintf(Buffer, MAIL_BUFFER_SIZE, RCPT TO:%s\r\n, token);
if ((res = Post(Buffer)) != SUCCESS)
return (res);
if ((res = Ack()) != SUCCESS)
@@ -259,7 +261,7 @@
token = strtok(tempMailTo, ,);
while(token != NULL)
{
- sprintf(Buffer, RCPT TO:%s\r\n, token);
+ snprintf(Buffer, MAIL_BUFFER_SIZE, RCPT TO:%s\r\n, token);
if ((res = Post(Buffer)) != SUCCESS)
return (res);
if ((res = Ack()) != SUCCESS)
@@ -341,14 +343,15 @@
struct tm *tm = localtime(tNow);
int zoneh = abs(_timezone);
int zonem, res;
+ int i;
+
char *p;
- p = Buffer;
zoneh /= (60 * 60);
zonem = (abs(_timezone) / 60) - (zoneh * 60);
if(!xheaders || !strstr(xheaders, Date:)){
- p += sprintf(p, Date: %s, %02d %s %04d %02d:%02d:%02d
%s%02d%02d\r\n,
+ snprintf(Buffer, MAIL_BUFFER_SIZE, Date: %s, %02d %s %04d
%02d:%02d:%02d %s%02d%02d\r\n,
days[tm-tm_wday],
tm-tm_mday,
months[tm-tm_mon],
@@ -359,21 +362,56 @@
(_timezone 0) ? + : (_timezone 0) ? -
: ,
zoneh,
zonem);
+
+ if ((res = Post(Buffer)) != SUCCESS)
+ return (res);
}
if(!xheaders || !strstr(xheaders, From:)){
- p += sprintf(p, From: %s\r\n, RPath);
+ snprintf(Buffer, MAIL_BUFFER_SIZE, From: %s\r\n, RPath);
+ if ((res = Post(Buffer)) != SUCCESS)
+ return (res);
}
- p += sprintf(p, Subject: %s\r\n, Subject);
+
+ snprintf(Buffer, MAIL_BUFFER_SIZE, Subject: %s\r\n, Subject);
+ if ((res = Post(Buffer)) != SUCCESS)
+ return (res);
+
if(!xheaders || !strstr(xheaders, To:)){
- p += sprintf(p, To: %s\r\n, mailTo);
+ snprintf(Buffer, MAIL_BUFFER_SIZE, To: %s\r\n, mailTo);
+ if ((res = Post(Buffer)) != SUCCESS)
+ return (res);
}
+
if(xheaders){
- p += sprintf(p, %s\r\n, xheaders);
- }
- if ((res = Post(Buffer)) != SUCCESS)
- return (res);
+ /* send extre headers in 1024 chunks */
+ if (strlen(xheaders) = 1024) {
+ if ((res = Post(xheaders)) != SUCCESS)
+ return (res);
+ } else {
+
[PHP-DEV] Bug #14983 Updated: mail function buffer overflow
ID: 14983
Updated by: [EMAIL PROTECTED]
Reported By: [EMAIL PROTECTED]
Status: Open
Bug Type: Reproducible crash
Operating System: Windows 2000
PHP Version: 4.1.1
New Comment:
There was no feedback needed; somehow the status was still set to
feedback, therefore I closed the bug by mistake.
Sorry for the confusion :)
Previous Comments:
[2002-02-03 14:41:50] [EMAIL PROTECTED]
what feedback is needed ?
[2002-02-02 06:37:30] [EMAIL PROTECTED]
Sorry, reopening.
[2002-02-02 06:35:57] [EMAIL PROTECTED]
No feedback was provided for this bug, so it is being suspended.
If you are able to provide the information that was requested,
please do so and change the status of the bug back to Open.
[2002-01-11 11:31:01] [EMAIL PROTECTED]
Here is the diff.
-Enrico
--- sendmail-old.c Mon Sep 4 18:26:16 2000
+++ sendmail.c Thu Jan 10 20:20:56 2002
@@ -16,6 +16,8 @@
* The complete wSendmail package with source code can be located
* from http://www.jgaa.com
*
+
+ modified by Enrico Demarin Jan 2001
*/
#include php.h /*php specific */
@@ -217,7 +219,7 @@
if (strchr(mailTo, '@') == NULL)
return (BAD_MSG_DESTINATION);
- sprintf(Buffer, HELO %s\r\n, LocalHost);
+ snprintf(Buffer, MAIL_BUFFER_SIZE, HELO %s\r\n, LocalHost);
/* in the beggining of the dialog */
/* attempt reconnect if the first Post fail */
@@ -229,7 +231,7 @@
if ((res = Ack()) != SUCCESS)
return (res);
- sprintf(Buffer, MAIL FROM:%s\r\n, RPath);
+ snprintf(Buffer, MAIL_BUFFER_SIZE,MAIL FROM:%s\r\n, RPath);
if ((res = Post(Buffer)) != SUCCESS)
return (res);
if ((res = Ack()) != SUCCESS)
@@ -242,7 +244,7 @@
token = strtok(tempMailTo, ,);
while(token != NULL)
{
- sprintf(Buffer, RCPT TO:%s\r\n, token);
+ snprintf(Buffer, MAIL_BUFFER_SIZE, RCPT TO:%s\r\n, token);
if ((res = Post(Buffer)) != SUCCESS)
return (res);
if ((res = Ack()) != SUCCESS)
@@ -259,7 +261,7 @@
token = strtok(tempMailTo, ,);
while(token != NULL)
{
- sprintf(Buffer, RCPT TO:%s\r\n, token);
+ snprintf(Buffer, MAIL_BUFFER_SIZE, RCPT TO:%s\r\n, token);
if ((res = Post(Buffer)) != SUCCESS)
return (res);
if ((res = Ack()) != SUCCESS)
@@ -341,14 +343,15 @@
struct tm *tm = localtime(tNow);
int zoneh = abs(_timezone);
int zonem, res;
+ int i;
+
char *p;
- p = Buffer;
zoneh /= (60 * 60);
zonem = (abs(_timezone) / 60) - (zoneh * 60);
if(!xheaders || !strstr(xheaders, Date:)){
- p += sprintf(p, Date: %s, %02d %s %04d %02d:%02d:%02d
%s%02d%02d\r\n,
+ snprintf(Buffer, MAIL_BUFFER_SIZE, Date: %s, %02d %s %04d
%02d:%02d:%02d %s%02d%02d\r\n,
days[tm-tm_wday],
tm-tm_mday,
months[tm-tm_mon],
@@ -359,21 +362,56 @@
(_timezone 0) ? + : (_timezone 0) ? -
: ,
zoneh,
zonem);
+
+ if ((res = Post(Buffer)) != SUCCESS)
+ return (res);
}
if(!xheaders || !strstr(xheaders, From:)){
- p += sprintf(p, From: %s\r\n, RPath);
+ snprintf(Buffer, MAIL_BUFFER_SIZE, From: %s\r\n, RPath);
+ if ((res = Post(Buffer)) != SUCCESS)
+ return (res);
}
- p += sprintf(p, Subject: %s\r\n, Subject);
+
+ snprintf(Buffer, MAIL_BUFFER_SIZE, Subject: %s\r\n, Subject);
+ if ((res = Post(Buffer)) != SUCCESS)
+ return (res);
+
if(!xheaders || !strstr(xheaders, To:)){
- p += sprintf(p, To: %s\r\n, mailTo);
+ snprintf(Buffer, MAIL_BUFFER_SIZE, To: %s\r\n, mailTo);
+ if ((res = Post(Buffer)) != SUCCESS)
+ return (res);
}
+
if(xheaders){
- p += sprintf(p, %s\r\n, xheaders);
- }
- if ((res = Post(Buffer)) != SUCCESS)
- return (res);
+ /* send extre headers in 1024 chunks */
+
[PHP-DEV] Bug #14983 Updated: mail function buffer overflow
ID: 14983
Updated by: [EMAIL PROTECTED]
Reported By: [EMAIL PROTECTED]
Status: Feedback
Bug Type: Reproducible crash
Operating System: Windows 2000
PHP Version: 4.1.1
New Comment:
No feedback was provided for this bug, so it is being suspended.
If you are able to provide the information that was requested,
please do so and change the status of the bug back to Open.
Previous Comments:
[2002-01-11 11:31:01] [EMAIL PROTECTED]
Here is the diff.
-Enrico
--- sendmail-old.c Mon Sep 4 18:26:16 2000
+++ sendmail.c Thu Jan 10 20:20:56 2002
@@ -16,6 +16,8 @@
* The complete wSendmail package with source code can be located
* from http://www.jgaa.com
*
+
+ modified by Enrico Demarin Jan 2001
*/
#include php.h /*php specific */
@@ -217,7 +219,7 @@
if (strchr(mailTo, '@') == NULL)
return (BAD_MSG_DESTINATION);
- sprintf(Buffer, HELO %s\r\n, LocalHost);
+ snprintf(Buffer, MAIL_BUFFER_SIZE, HELO %s\r\n, LocalHost);
/* in the beggining of the dialog */
/* attempt reconnect if the first Post fail */
@@ -229,7 +231,7 @@
if ((res = Ack()) != SUCCESS)
return (res);
- sprintf(Buffer, MAIL FROM:%s\r\n, RPath);
+ snprintf(Buffer, MAIL_BUFFER_SIZE,MAIL FROM:%s\r\n, RPath);
if ((res = Post(Buffer)) != SUCCESS)
return (res);
if ((res = Ack()) != SUCCESS)
@@ -242,7 +244,7 @@
token = strtok(tempMailTo, ,);
while(token != NULL)
{
- sprintf(Buffer, RCPT TO:%s\r\n, token);
+ snprintf(Buffer, MAIL_BUFFER_SIZE, RCPT TO:%s\r\n, token);
if ((res = Post(Buffer)) != SUCCESS)
return (res);
if ((res = Ack()) != SUCCESS)
@@ -259,7 +261,7 @@
token = strtok(tempMailTo, ,);
while(token != NULL)
{
- sprintf(Buffer, RCPT TO:%s\r\n, token);
+ snprintf(Buffer, MAIL_BUFFER_SIZE, RCPT TO:%s\r\n, token);
if ((res = Post(Buffer)) != SUCCESS)
return (res);
if ((res = Ack()) != SUCCESS)
@@ -341,14 +343,15 @@
struct tm *tm = localtime(tNow);
int zoneh = abs(_timezone);
int zonem, res;
+ int i;
+
char *p;
- p = Buffer;
zoneh /= (60 * 60);
zonem = (abs(_timezone) / 60) - (zoneh * 60);
if(!xheaders || !strstr(xheaders, Date:)){
- p += sprintf(p, Date: %s, %02d %s %04d %02d:%02d:%02d
%s%02d%02d\r\n,
+ snprintf(Buffer, MAIL_BUFFER_SIZE, Date: %s, %02d %s %04d
%02d:%02d:%02d %s%02d%02d\r\n,
days[tm-tm_wday],
tm-tm_mday,
months[tm-tm_mon],
@@ -359,21 +362,56 @@
(_timezone 0) ? + : (_timezone 0) ? -
: ,
zoneh,
zonem);
+
+ if ((res = Post(Buffer)) != SUCCESS)
+ return (res);
}
if(!xheaders || !strstr(xheaders, From:)){
- p += sprintf(p, From: %s\r\n, RPath);
+ snprintf(Buffer, MAIL_BUFFER_SIZE, From: %s\r\n, RPath);
+ if ((res = Post(Buffer)) != SUCCESS)
+ return (res);
}
- p += sprintf(p, Subject: %s\r\n, Subject);
+
+ snprintf(Buffer, MAIL_BUFFER_SIZE, Subject: %s\r\n, Subject);
+ if ((res = Post(Buffer)) != SUCCESS)
+ return (res);
+
if(!xheaders || !strstr(xheaders, To:)){
- p += sprintf(p, To: %s\r\n, mailTo);
+ snprintf(Buffer, MAIL_BUFFER_SIZE, To: %s\r\n, mailTo);
+ if ((res = Post(Buffer)) != SUCCESS)
+ return (res);
}
+
if(xheaders){
- p += sprintf(p, %s\r\n, xheaders);
- }
- if ((res = Post(Buffer)) != SUCCESS)
- return (res);
+ /* send extre headers in 1024 chunks */
+ if (strlen(xheaders) = 1024) {
+ if ((res = Post(xheaders)) != SUCCESS)
+ return (res);
+ } else {
+ p = xheaders;
+
+ while (1) {
+ if (*p == '\0')
+ break;
+ if (strlen(p) = 1024)
+
[PHP-DEV] Bug #14983 Updated: mail function buffer overflow
ID: 14983
Updated by: [EMAIL PROTECTED]
Reported By: [EMAIL PROTECTED]
Old Status: No Feedback
Status: Open
Bug Type: Reproducible crash
Operating System: Windows 2000
PHP Version: 4.1.1
New Comment:
Sorry, reopening.
Previous Comments:
[2002-02-02 06:35:57] [EMAIL PROTECTED]
No feedback was provided for this bug, so it is being suspended.
If you are able to provide the information that was requested,
please do so and change the status of the bug back to Open.
[2002-01-11 11:31:01] [EMAIL PROTECTED]
Here is the diff.
-Enrico
--- sendmail-old.c Mon Sep 4 18:26:16 2000
+++ sendmail.c Thu Jan 10 20:20:56 2002
@@ -16,6 +16,8 @@
* The complete wSendmail package with source code can be located
* from http://www.jgaa.com
*
+
+ modified by Enrico Demarin Jan 2001
*/
#include php.h /*php specific */
@@ -217,7 +219,7 @@
if (strchr(mailTo, '@') == NULL)
return (BAD_MSG_DESTINATION);
- sprintf(Buffer, HELO %s\r\n, LocalHost);
+ snprintf(Buffer, MAIL_BUFFER_SIZE, HELO %s\r\n, LocalHost);
/* in the beggining of the dialog */
/* attempt reconnect if the first Post fail */
@@ -229,7 +231,7 @@
if ((res = Ack()) != SUCCESS)
return (res);
- sprintf(Buffer, MAIL FROM:%s\r\n, RPath);
+ snprintf(Buffer, MAIL_BUFFER_SIZE,MAIL FROM:%s\r\n, RPath);
if ((res = Post(Buffer)) != SUCCESS)
return (res);
if ((res = Ack()) != SUCCESS)
@@ -242,7 +244,7 @@
token = strtok(tempMailTo, ,);
while(token != NULL)
{
- sprintf(Buffer, RCPT TO:%s\r\n, token);
+ snprintf(Buffer, MAIL_BUFFER_SIZE, RCPT TO:%s\r\n, token);
if ((res = Post(Buffer)) != SUCCESS)
return (res);
if ((res = Ack()) != SUCCESS)
@@ -259,7 +261,7 @@
token = strtok(tempMailTo, ,);
while(token != NULL)
{
- sprintf(Buffer, RCPT TO:%s\r\n, token);
+ snprintf(Buffer, MAIL_BUFFER_SIZE, RCPT TO:%s\r\n, token);
if ((res = Post(Buffer)) != SUCCESS)
return (res);
if ((res = Ack()) != SUCCESS)
@@ -341,14 +343,15 @@
struct tm *tm = localtime(tNow);
int zoneh = abs(_timezone);
int zonem, res;
+ int i;
+
char *p;
- p = Buffer;
zoneh /= (60 * 60);
zonem = (abs(_timezone) / 60) - (zoneh * 60);
if(!xheaders || !strstr(xheaders, Date:)){
- p += sprintf(p, Date: %s, %02d %s %04d %02d:%02d:%02d
%s%02d%02d\r\n,
+ snprintf(Buffer, MAIL_BUFFER_SIZE, Date: %s, %02d %s %04d
%02d:%02d:%02d %s%02d%02d\r\n,
days[tm-tm_wday],
tm-tm_mday,
months[tm-tm_mon],
@@ -359,21 +362,56 @@
(_timezone 0) ? + : (_timezone 0) ? -
: ,
zoneh,
zonem);
+
+ if ((res = Post(Buffer)) != SUCCESS)
+ return (res);
}
if(!xheaders || !strstr(xheaders, From:)){
- p += sprintf(p, From: %s\r\n, RPath);
+ snprintf(Buffer, MAIL_BUFFER_SIZE, From: %s\r\n, RPath);
+ if ((res = Post(Buffer)) != SUCCESS)
+ return (res);
}
- p += sprintf(p, Subject: %s\r\n, Subject);
+
+ snprintf(Buffer, MAIL_BUFFER_SIZE, Subject: %s\r\n, Subject);
+ if ((res = Post(Buffer)) != SUCCESS)
+ return (res);
+
if(!xheaders || !strstr(xheaders, To:)){
- p += sprintf(p, To: %s\r\n, mailTo);
+ snprintf(Buffer, MAIL_BUFFER_SIZE, To: %s\r\n, mailTo);
+ if ((res = Post(Buffer)) != SUCCESS)
+ return (res);
}
+
if(xheaders){
- p += sprintf(p, %s\r\n, xheaders);
- }
- if ((res = Post(Buffer)) != SUCCESS)
- return (res);
+ /* send extre headers in 1024 chunks */
+ if (strlen(xheaders) = 1024) {
+ if ((res = Post(xheaders)) != SUCCESS)
+ return (res);
+ } else {
+ p = xheaders;
+
+ while (1) {
+ if
[PHP-DEV] Bug #14983 Updated: mail function buffer overflow
ID: 14983
Updated by: sander
Reported By: [EMAIL PROTECTED]
Old Status: Open
Status: Feedback
Bug Type: Reproducible crash
Operating System: Windows 2000
PHP Version: 4.1.1
New Comment:
It would be nice if you post a diff instead of the whole file...
Previous Comments:
[2002-01-10 21:07:29] [EMAIL PROTECTED]
this is what i came up with to fix the behaviour. It's a quick fix cause
i needed PHP working for a demo tomorrow, but it appears to fix the
problem.
- Enrico
/*
*PHP Sendmail for Windows.
*
* This file is rewriten specificly for PHPFI. Some functionality
* has been removed (MIME and file attachments). This code was
* modified from code based on code writen by Jarle Aase.
*
* This class is based on the original code by Jarle Aase, see
bellow:
* wSendmail.cpp It has been striped of some functionality to match
* the requirements of phpfi.
*
* Very simple SMTP Send-mail program for sending command-line level
* emails and CGI-BIN form response for the Windows platform.
*
* The complete wSendmail package with source code can be located
* from http://www.jgaa.com
*
modified by Enrico Demarin Jan 2001
*/
#include php.h/*php specific */
#include stdio.h
#include stdlib.h
#include winsock.h
#include time.h
#include string.h
#include malloc.h
#include memory.h
#include winbase.h
#include sendmail.h
#include php_ini.h
/*
extern int _daylight;
extern long _timezone;
*/
/*enum
{
DO_CONNECT = WM_USER +1
};
*/
static char *days[] =
{Sun, Mon, Tue, Wed, Thu, Fri, Sat};
static char *months[] =
{Jan, Feb, Mar, Apr, May, Jun, Jul, Aug, Sep, Oct,
Nov, Dec};
#ifndef THREAD_SAFE
char Buffer[MAIL_BUFFER_SIZE];
/* socket related data */
SOCKET sc;
WSADATA Data;
struct hostent *adr;
SOCKADDR_IN sock_in;
int WinsockStarted;
/* values set by the constructor */
char *AppName;
char MailHost[HOST_NAME_LEN];
char LocalHost[HOST_NAME_LEN];
#endif
char seps[] = ,\t\n;
char *php_mailer = PHP 4.0 WIN32;
char *get_header(char *h, char *headers);
/* Error messages */
static char *ErrorMessages[] =
{
{Success},
{Bad arguments from form},
{Unable to open temporary mailfile for read},
{Failed to Start Sockets},
{Failed to Resolve Host},
{Failed to obtain socket handle},
{Failed to Connect},
{Failed to Send},
{Failed to Receive},
{Server Error},
{Failed to resolve the host IP name},
{Out of memory},
{Unknown error},
{Bad Message Contents},
{Bad Message Subject},
{Bad Message destination},
{Bad Message Return Path},
{Bad Mail Host},
{Bad Message File},
{PHP Internal error: php.ini sendmail from variable not set!}
};
/*
// Name: TSendMail
// Input: 1) host:Name of the mail host where the SMTP server
resides
// max accepted length of name = 256
// 2) appname: Name of the application to use in the X-mailer
// field of the message. if NULL is given the
application
// name is used as given by the GetCommandLine()
function
// max accespted length of name = 100
// Output: 1) error: Returns the error code if something went wrong
or
// SUCCESS otherwise.
//
// See SendText() for additional args!
///
int TSendMail(char *host, int *error,
char *headers, char *Subject, char *mailTo, char *data)
{
int ret;
char *RPath = NULL;
WinsockStarted = FALSE;
if (host == NULL) {
*error = BAD_MAIL_HOST;
return BAD_MAIL_HOST;
} else if (strlen(host) = HOST_NAME_LEN) {
*error = BAD_MAIL_HOST;
return BAD_MAIL_HOST;
} else {
strcpy(MailHost, host);
}
if (INI_STR(sendmail_from)){
RPath = estrdup(INI_STR(sendmail_from));
} else {
return 19;
}
/* attempt to connect with mail host */
*error = MailConnect();
if (*error != 0) {
if(RPath)efree(RPath);
return *error;
} else {
ret = SendText(RPath, Subject, mailTo, data, headers);
TSMClose();
if (ret != SUCCESS) {
*error = ret;
}
if(RPath)efree(RPath);
return ret;
}
}
//
// Name:
[PHP-DEV] Bug #14983 Updated: mail function buffer overflow
ID: 14983
Comment by: [EMAIL PROTECTED]
Reported By: [EMAIL PROTECTED]
Status: Feedback
Bug Type: Reproducible crash
Operating System: Windows 2000
PHP Version: 4.1.1
New Comment:
Here is the diff.
-Enrico
--- sendmail-old.c Mon Sep 4 18:26:16 2000
+++ sendmail.c Thu Jan 10 20:20:56 2002
@@ -16,6 +16,8 @@
* The complete wSendmail package with source code can be located
* from http://www.jgaa.com
*
+
+ modified by Enrico Demarin Jan 2001
*/
#include php.h /*php specific */
@@ -217,7 +219,7 @@
if (strchr(mailTo, '@') == NULL)
return (BAD_MSG_DESTINATION);
- sprintf(Buffer, HELO %s\r\n, LocalHost);
+ snprintf(Buffer, MAIL_BUFFER_SIZE, HELO %s\r\n, LocalHost);
/* in the beggining of the dialog */
/* attempt reconnect if the first Post fail */
@@ -229,7 +231,7 @@
if ((res = Ack()) != SUCCESS)
return (res);
- sprintf(Buffer, MAIL FROM:%s\r\n, RPath);
+ snprintf(Buffer, MAIL_BUFFER_SIZE,MAIL FROM:%s\r\n, RPath);
if ((res = Post(Buffer)) != SUCCESS)
return (res);
if ((res = Ack()) != SUCCESS)
@@ -242,7 +244,7 @@
token = strtok(tempMailTo, ,);
while(token != NULL)
{
- sprintf(Buffer, RCPT TO:%s\r\n, token);
+ snprintf(Buffer, MAIL_BUFFER_SIZE, RCPT TO:%s\r\n, token);
if ((res = Post(Buffer)) != SUCCESS)
return (res);
if ((res = Ack()) != SUCCESS)
@@ -259,7 +261,7 @@
token = strtok(tempMailTo, ,);
while(token != NULL)
{
- sprintf(Buffer, RCPT TO:%s\r\n, token);
+ snprintf(Buffer, MAIL_BUFFER_SIZE, RCPT TO:%s\r\n, token);
if ((res = Post(Buffer)) != SUCCESS)
return (res);
if ((res = Ack()) != SUCCESS)
@@ -341,14 +343,15 @@
struct tm *tm = localtime(tNow);
int zoneh = abs(_timezone);
int zonem, res;
+ int i;
+
char *p;
- p = Buffer;
zoneh /= (60 * 60);
zonem = (abs(_timezone) / 60) - (zoneh * 60);
if(!xheaders || !strstr(xheaders, Date:)){
- p += sprintf(p, Date: %s, %02d %s %04d %02d:%02d:%02d
%s%02d%02d\r\n,
+ snprintf(Buffer, MAIL_BUFFER_SIZE, Date: %s, %02d %s %04d
%02d:%02d:%02d %s%02d%02d\r\n,
days[tm-tm_wday],
tm-tm_mday,
months[tm-tm_mon],
@@ -359,21 +362,56 @@
(_timezone 0) ? + : (_timezone 0) ? -
: ,
zoneh,
zonem);
+
+ if ((res = Post(Buffer)) != SUCCESS)
+ return (res);
}
if(!xheaders || !strstr(xheaders, From:)){
- p += sprintf(p, From: %s\r\n, RPath);
+ snprintf(Buffer, MAIL_BUFFER_SIZE, From: %s\r\n, RPath);
+ if ((res = Post(Buffer)) != SUCCESS)
+ return (res);
}
- p += sprintf(p, Subject: %s\r\n, Subject);
+
+ snprintf(Buffer, MAIL_BUFFER_SIZE, Subject: %s\r\n, Subject);
+ if ((res = Post(Buffer)) != SUCCESS)
+ return (res);
+
if(!xheaders || !strstr(xheaders, To:)){
- p += sprintf(p, To: %s\r\n, mailTo);
+ snprintf(Buffer, MAIL_BUFFER_SIZE, To: %s\r\n, mailTo);
+ if ((res = Post(Buffer)) != SUCCESS)
+ return (res);
}
+
if(xheaders){
- p += sprintf(p, %s\r\n, xheaders);
- }
- if ((res = Post(Buffer)) != SUCCESS)
- return (res);
+ /* send extre headers in 1024 chunks */
+ if (strlen(xheaders) = 1024) {
+ if ((res = Post(xheaders)) != SUCCESS)
+ return (res);
+ } else {
+ p = xheaders;
+
+ while (1) {
+ if (*p == '\0')
+ break;
+ if (strlen(p) = 1024)
+ i = 1024;
+ else
+ i = strlen(p);
+
+ /* put next chunk in buffer */
+
[PHP-DEV] Bug #14983 Updated: mail function buffer overflow
ID: 14983
User updated by: [EMAIL PROTECTED]
Reported By: [EMAIL PROTECTED]
Status: Open
Bug Type: Reproducible crash
Operating System: Windows 2000
PHP Version: 4.1.1
New Comment:
this is what i came up with to fix the behaviour. It's a quick fix cause
i needed PHP working for a demo tomorrow, but it appears to fix the
problem.
- Enrico
/*
*PHP Sendmail for Windows.
*
* This file is rewriten specificly for PHPFI. Some functionality
* has been removed (MIME and file attachments). This code was
* modified from code based on code writen by Jarle Aase.
*
* This class is based on the original code by Jarle Aase, see
bellow:
* wSendmail.cpp It has been striped of some functionality to match
* the requirements of phpfi.
*
* Very simple SMTP Send-mail program for sending command-line level
* emails and CGI-BIN form response for the Windows platform.
*
* The complete wSendmail package with source code can be located
* from http://www.jgaa.com
*
modified by Enrico Demarin Jan 2001
*/
#include php.h/*php specific */
#include stdio.h
#include stdlib.h
#include winsock.h
#include time.h
#include string.h
#include malloc.h
#include memory.h
#include winbase.h
#include sendmail.h
#include php_ini.h
/*
extern int _daylight;
extern long _timezone;
*/
/*enum
{
DO_CONNECT = WM_USER +1
};
*/
static char *days[] =
{Sun, Mon, Tue, Wed, Thu, Fri, Sat};
static char *months[] =
{Jan, Feb, Mar, Apr, May, Jun, Jul, Aug, Sep, Oct,
Nov, Dec};
#ifndef THREAD_SAFE
char Buffer[MAIL_BUFFER_SIZE];
/* socket related data */
SOCKET sc;
WSADATA Data;
struct hostent *adr;
SOCKADDR_IN sock_in;
int WinsockStarted;
/* values set by the constructor */
char *AppName;
char MailHost[HOST_NAME_LEN];
char LocalHost[HOST_NAME_LEN];
#endif
char seps[] = ,\t\n;
char *php_mailer = PHP 4.0 WIN32;
char *get_header(char *h, char *headers);
/* Error messages */
static char *ErrorMessages[] =
{
{Success},
{Bad arguments from form},
{Unable to open temporary mailfile for read},
{Failed to Start Sockets},
{Failed to Resolve Host},
{Failed to obtain socket handle},
{Failed to Connect},
{Failed to Send},
{Failed to Receive},
{Server Error},
{Failed to resolve the host IP name},
{Out of memory},
{Unknown error},
{Bad Message Contents},
{Bad Message Subject},
{Bad Message destination},
{Bad Message Return Path},
{Bad Mail Host},
{Bad Message File},
{PHP Internal error: php.ini sendmail from variable not set!}
};
/*
// Name: TSendMail
// Input: 1) host:Name of the mail host where the SMTP server
resides
// max accepted length of name = 256
// 2) appname: Name of the application to use in the X-mailer
// field of the message. if NULL is given the
application
// name is used as given by the GetCommandLine()
function
// max accespted length of name = 100
// Output: 1) error: Returns the error code if something went wrong
or
// SUCCESS otherwise.
//
// See SendText() for additional args!
///
int TSendMail(char *host, int *error,
char *headers, char *Subject, char *mailTo, char *data)
{
int ret;
char *RPath = NULL;
WinsockStarted = FALSE;
if (host == NULL) {
*error = BAD_MAIL_HOST;
return BAD_MAIL_HOST;
} else if (strlen(host) = HOST_NAME_LEN) {
*error = BAD_MAIL_HOST;
return BAD_MAIL_HOST;
} else {
strcpy(MailHost, host);
}
if (INI_STR(sendmail_from)){
RPath = estrdup(INI_STR(sendmail_from));
} else {
return 19;
}
/* attempt to connect with mail host */
*error = MailConnect();
if (*error != 0) {
if(RPath)efree(RPath);
return *error;
} else {
ret = SendText(RPath, Subject, mailTo, data, headers);
TSMClose();
if (ret != SUCCESS) {
*error = ret;
}
if(RPath)efree(RPath);
return ret;
}
}
//
// Name: TSendMail::~TSendMail
// Input:
// Output:
// Description: DESTRUCTOR
// Author/Date: jcar 20/9/96
// History:
///
void TSMClose()
{
