Thank you Miquel van Smoorenburg <miquelsat_private> for explaining to me how the UIDL handling in pop_dropcopy.c can potentially later result in a buffer overflow. The first time I saw the patch for pop_dropcopy.c, I looked all over pop_dropcopy.c and couldn't see any overflow. Then Miquel explained that the overflow actually ocurrs in pop_udil.c but the prevention of the overflow is by limiting the uidl length in pop_dropcopy.c. After further investigation, I see another potential overflow in pop_uidl.c that can occur even when uidl length is limited to 128 chars. The potential overflow can occur in the pop_euidl() function in two different spots where this code appears: sprintf(buffer, "%d %s", msg_id, mp->uidl_str); if (nl = index(buffer, NEWLINE)) *nl = 0; sprintf(buffer, "%s %d %s", buffer, mp->length, from_hdr(p, mp)); Even with mp->uidl_str limited to 128 chars, the from_hdr(p, mp) code can return the text from a message's "From:" header which could then overflow the buffer. Also, is it just me, or is the from_hdr() function in the pop_uidl.c file returning a pointer to a non-static buffer? That's wrong, is it not? It is defined: char buf[MAXLINELEN], *cp; Should it not instead be: char * cp; static char buf[MAXLINELEN]; Enjoy! Aaron out.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:00:24 PDT