Sorry, I misread Miquel's post. This was the overrun Miquel already mentioned. However, limiting the UIDL to 128 in length does not completely fix it, since a huge From: header could still cause an overrun. Either way, I think the solution is to limit uidl_str size AND reduce the size of the buffer in the from_hdr() function from pop_uidl.c (as well as make the buffer static -- it sure seems to me like it should be). Here's what I chose to do instead of truncating uidl_str to 128 in pop_dropcopy.c: *** work/qpopper2.41beta1/pop_dropcopy.c Sun Jun 28 12:58:14 1998 --- work2/qpopper2.41beta1/pop_dropcopy.c Sun Jun 28 13:07:47 1998 *************** POP *p; *** 489,495 **** /* Skip over header string */ cp = &buffer[7]; while (*cp && (*cp == ' ' || *cp == '\t')) cp++; ! if(strlen(cp) < DIG_SIZE) /* To account for the empty UIDL string */ { uidl_found--; /*roll over as though it hasn't seen anything*/ continue; --- 489,501 ---- /* Skip over header string */ cp = &buffer[7]; while (*cp && (*cp == ' ' || *cp == '\t')) cp++; ! /* ! * The UIDL digest SHOULD be approx. 32 chars long, ! * so reject/skip any X-UIDL: lines that don't fit ! * this profile. A new X-UIDL: line will be created ! * for any messages that don't have a valid one. ! */ ! if(strlen(cp) < DIG_SIZE || strlen(cp) > DIG_SIZE * 3) { uidl_found--; /*roll over as though it hasn't seen anything*/ continue; And then to fix the possibility of a From: header overrunning things in pop_uidl.c during an EUIDL command from the POP client: *** work/qpopper2.41beta1/pop_uidl.c Wed Nov 19 14:20:38 1997 --- work2/qpopper2.41beta1/pop_uidl.c Sun Jun 28 13:09:56 1998 *************** from_hdr(p, mp) *** 101,107 **** POP *p; MsgInfoList *mp; { ! char buf[MAXLINELEN], *cp; fseek(p->drop, mp->offset, 0); while (fgets(buf, sizeof(buf), p->drop) != NULL) { --- 101,112 ---- POP *p; MsgInfoList *mp; { ! /* ! * Shorten this buffer so that an extra-long From: header ! * won't overflow the buffers in the pop_euidl() where ! * this function is called. 128 should be sufficient. ! */ ! static char buf[MAXLINELEN - 128], *cp; fseek(p->drop, mp->offset, 0); while (fgets(buf, sizeof(buf), p->drop) != NULL) { Aaron out.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:00:47 PDT