On 01/06/2015 12:11 PM, Gilles Chehade wrote: > Index: smtp_session.c > =================================================================== > RCS file: /cvs/src/usr.sbin/smtpd/smtp_session.c,v > retrieving revision 1.221 > diff -u -p -r1.221 smtp_session.c > --- smtp_session.c 17 Dec 2014 15:49:23 -0000 1.221 > +++ smtp_session.c 5 Jan 2015 22:36:55 -0000 > @@ -315,7 +315,9 @@ header_append_domain_buffer(char *buffer > has_domain = 1; > if (buffer[i] == ':' && !escape && !comment && !quote) > has_group = 1; > - if (! isspace(buffer[i])) > + > + /* update insert point if not in comment and not on a > whitespace */ > + if (!comment && buffer[i] != ')' && !isspace((int)buffer[i]))
This isspace call looks wrong, and looking at the source, so does nearby isspace calls. The argument to isspace() must be EOF or representable as an unsigned char; otherwise, the result is undefined. However, char is signed on some platforms, and buffer is a char pointer here, meaning out-of-range values might be passed. Casting to an int just sign extends the potential negative values, rather than mapping them to the high unsigned char values. The callers should be changed to the pattern isspace((unsigned char)buffer[i]) instead. > pos_component = i; > }
