#13 buffer overflow in UIDL command

closed-accepted
David Smith
bug fix (4)
5
2004-10-23
2004-10-19
Marien Zwart
No

The function httpmail_uidl in commands_pop3.c allocates
a buffer for the response. The size of this buffer
seems to be calculated based on the number of uidls to
be listed. However a 'header' of sorts is also added to
this buffer and this causes the buffer to overflow.
Result: a segfault on exit or worse. Fix: add the size
of the 'header' to the size of the allocated buffer.

I found this with valgrind and I do not know the code
at all. I also do not know much about C programming.
All I know is that valgrind doesn't complain with this
patch. Someone should probably doublecheck this before
applying.

The patch is against hotwayd-0.7.4 (gentoo's stable
version) but also applies to the cvs.

Discussion

  • Marien Zwart
    Marien Zwart
    2004-10-19

    patch to increase buffer size.

     
    Attachments
  • David Smith
    David Smith
    2004-10-23

    • assigned_to: nobody --> courierdave
    • status: open --> closed-accepted
     
  • David Smith
    David Smith
    2004-10-23

    Logged In: YES
    user_id=569736

    Patch added to CVS.