Re: AW: [Exim] buffer overflow?

トップ ページ
このメッセージを削除
このメッセージに返信
著者: Hirling Endre
日付:  
To: exim-users
題目: Re: AW: [Exim] buffer overflow?
Hirling Endre wrote:

> > > Speaking of this, Sheldon .. as you are the freebsd port maintainer, could
> > > you please apply a small patch to the freebsd port so that it looks up the
> > > new rbl zones (instead of the old *.maps.vix.org zones)?
> >
> > I'll be upgrading the port to exim-3.30 today. If it isn't using "the
> > new rbl zones", I'll be sure to add an appropriate patch.
>
> 3.30 doesn't fix the segfault. There is a static, 256-byte buffer in tree.c
> that's overwritten in address_prepare, causing the global variable
> message_id to be corrupted.


The attached small patch fixed this segfault for me. Please look at it and
send me any comments.

-m---- exim-3.22/src/tree.c    Fri Jan 19 10:32:11 2001
+++ exim-3.30/src/tree.c    Mon Jun 18 17:33:47 2001
@@ -25,24 +25,29 @@
 Returns:  points to prepared address string, in a fixed bit of store
 */


-static char prepared_address[256];
+// static char prepared_address[256];
+
+static char* prepared_address;

 static char *
 address_prepare(char *s)
 {
-char *p = s + (int)strlen(s);
-while (p > s && p[-1] != '@') p--;
-if (p <= s) strcpy(prepared_address, s); else
-  {
-  char *t = prepared_address;
-  char *pp = p - 2;
-  while (pp >= s && *pp != ':') pp--;
-  while (s < pp) *t++ = tolower(*s++);
-  while (s < p) *t++ = *s++;
-  while (*s) *t++ = tolower(*s++);
-  *t = 0;
-  }
-return prepared_address;
+    int hossz = strlen(s);
+    char *p = s + hossz;
+    prepared_address = (char*)malloc(hossz+1);
+    while (p > s && p[-1] != '@') p--;
+    if (p <= s) {
+        strncpy(prepared_address, s, hossz);
+    } else {
+        char *t = prepared_address;
+        char *pp = p - 2;
+        while (pp >= s && *pp != ':') pp--;
+        while (s < pp) *t++ = tolower(*s++);
+        while (s < p) *t++ = *s++;
+        while (*s) *t++ = tolower(*s++);
+        *t = 0;
+        }
+    return prepared_address;
 }