The function httpmail_uidl in commands_pop3.c allocates
a buffer for the response. The size of this buffer
seems to be calculated based on the number of uidls to
be listed. However a 'header' of sorts is also added to
this buffer and this causes the buffer to overflow.
Result: a segfault on exit or worse. Fix: add the size
of the 'header' to the size of the allocated buffer.
I found this with valgrind and I do not know the code
at all. I also do not know much about C programming.
All I know is that valgrind doesn't complain with this
patch. Someone should probably doublecheck this before
The patch is against hotwayd-0.7.4 (gentoo's stable
version) but also applies to the cvs.
Log in to post a comment.