EnablePlusedDetail corrupts username when receiving via LMTP
Brought to you by:
paulcockings,
sbajic
Menu
▾
▴
1 Attachments
#168 EnablePlusedDetail corrupts username when receiving via LMTP
When using EnablePlusedDetail with LMTP, the username is getting corrupted.
Example from LMTP:
RCPT TO:dave+foo.bar@mail.example.com
From the debug log:
31191: [08/17/2013 00:48:30] processing user dave@maie.coample.com
"dave+foo.bar@mail.example.com" is corrupted to "dave@maie.coample.com", instead of "dave@mail.example.com".
I can repro on Ubunutu 12.04 with the standard dspam version (3.10.1).
% nc -U /var/spool/postfix/var/run/dspam/dspam.sock < ~/lmtp-test.txt
Attaching lmtp-test.txt.
Running with valgrind found the problem:
==31967== Thread 2:
==31967== Source and destination overlap in strcpy(0x8880f6c, 0x8880f74)
==31967== at 0x48D373B: strcpy (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==31967== by 0x8053D29: process_users (in /tmp/dspam)
==31967== by 0x8057039: process_connection (in /tmp/dspam)
==31967== by 0x490ED4B: start_thread (pthread_create.c:308)
==31967== by 0x6C50DDD: clone (clone.S:130)
==31967==
Attaching full valgrind output. The problem is line in dspam.c, line 1707:
1701 strcpy(plus, atsign);
Attaching sample code that repro's the problem:
% gcc dspam-corruption.c && ./a.out
username: 0x8363020 dave+foo.bar@mail.example.com
username: 0x8363020 dave@maie.coample.com
mailbox: 0x8363020 dave+foo.bar@mail.example.com
Adding attachments,
The fix is to use memmove instead of strcpy, since memmove allows for overlapping. Attaching patch.
Last edit: Dave Dribin 2013-08-17