On Fri, Jul 18, 2003 at 05:23:58PM -0700, Tom Collins wrote: > On Friday, July 18, 2003, at 03:55 PM, Doug Clements wrote: > >It looks like there's 2 main problems he's detailing. The first he > >details looks pretty darn obviously a bug. Can anyone comment on why > >this buffer isn't cleared, and why it hasn't been fixed? > > If someone can give me better guidance, I will go in and fix the > problem on the vpopmail side. > > What functions does authdaemon make use of in libvpopmail?
I would imagine it only uses the password lookup functions. vpopmail is pretty darn simple, there's not that many ways to lookup a password. > libvpopmail may need a major overhaul and review for memory leaks, > especially if it's like QmailAdmin. Since QmailAdmin runs as a CGI, no > one has been very careful about freeing allocated memory when it's done > being used. I'm not sure if similar coding practices are present in > vpopmail. There doesn't appear to be from what I've seen, and random segfaults and crashes of various vpopmail processes strenthe my opinion. vpopmail seems to have more of a "fix things when they cause problems" way of going. > Does anyone see a reason it should be hardcoded into the lib? The only one I can think of is speed, but really when you're using mysql, the hit of opening another file will be much lower than that of even connecting to the sql server and just logging in, not counting query time. > I'm not intimately familiar with sqwebmail, but I'll commit to fixing > whatever is broken in vpopmail. Should I just examine authvchkpw.c to > see how it interfaces to vpopmail, and work on the parts of vpopmail > that it touches? Otherwise, it will probably be necessary to review > each function in vpopmail to make sure it could be called repeatedly, > work properly, and not leak memory. I would just look through it.. I would love to get in there, but my to-do list is huge already. Seems some sort of regression testing app would be pretty easy to code up that does what you describe. Catching the bug he describes of reusing a buffer without clearing it should be pretty easy to find. He even tells us it's the username field, so good hunting! --Doug