[prev in list] [next in list] [prev in thread] [next in thread]
List: inn-workers
Subject: Re: inn-2.5.3 bug report
From: Julien_ÉLIE <julien () trigofacile ! com>
Date: 2013-06-15 16:27:48
Message-ID: 51BC9604.9040708 () trigofacile ! com
[Download RAW message or body]
Hi David,
> I just ran the static analyser "cppcheck" over the source code of
> inn-2.5.3 It said, amongst other things
Could you please send to the inn-workers mailing-list the other
things reported by your code analysis? It may be worthwhile having
a look at it.
> [imap_connection.c:2386]: (error) Buffer is accessed out of bounds.
>
> Offending source code is
>
> sprintf(cxn->imap_currentTag,"%06d",cxn->imap_tag_num);
>
> and
>
> char imap_currentTag[IMAP_TAGLENGTH];
>
> and
>
> #define IMAP_TAGLENGTH 6
>
> sprintf writes a trailing zero byte, so 6 + 1 into 6 won't go. Suggest
> code rework.
Thanks for this bug report.
I believe the following patch fixes the issue.
Index: innfeed/imap_connection.c
===================================================================
--- innfeed/imap_connection.c (révision 9475)
+++ innfeed/imap_connection.c (copie de travail)
@@ -343,7 +343,7 @@
int imap_disconnects;
char *imap_tofree_str;
- char imap_currentTag[IMAP_TAGLENGTH];
+ char imap_currentTag[IMAP_TAGLENGTH+1];
int imap_tag_num;
/* Timer for the max amount of time to wait for a response from the
@@ -2383,7 +2383,7 @@
static void imap_GetTag(connection_t *cxn)
{
- sprintf(cxn->imap_currentTag,"%06d",cxn->imap_tag_num);
+ snprintf(cxn->imap_currentTag, IMAP_TAGLENGTH+1, "%06d", cxn->imap_tag_num);
cxn->imap_tag_num++;
if (cxn->imap_tag_num >= 999999)
{
--
Julien ÉLIE
« Aliud est celare, aliud tacere. »
_______________________________________________
inn-workers mailing list
inn-workers@lists.isc.org
https://lists.isc.org/mailman/listinfo/inn-workers
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic