#13 buffer overflow in UIDL command

bug fix (4)

The function httpmail_uidl in commands_pop3.c allocates
a buffer for the response. The size of this buffer
seems to be calculated based on the number of uidls to
be listed. However a 'header' of sorts is also added to
this buffer and this causes the buffer to overflow.
Result: a segfault on exit or worse. Fix: add the size
of the 'header' to the size of the allocated buffer.

I found this with valgrind and I do not know the code
at all. I also do not know much about C programming.
All I know is that valgrind doesn't complain with this
patch. Someone should probably doublecheck this before

The patch is against hotwayd-0.7.4 (gentoo's stable
version) but also applies to the cvs.


  • Marien Zwart

    Marien Zwart - 2004-10-19

    patch to increase buffer size.

  • David Smith

    David Smith - 2004-10-23
    • assigned_to: nobody --> courierdave
    • status: open --> closed-accepted
  • David Smith

    David Smith - 2004-10-23

    Logged In: YES

    Patch added to CVS.


Log in to post a comment.