Re: [exim] a question about auth_client_item()

Góra strony
Delete this message
Reply to this message
Autor: zerons
Data:  
Dla: exim-users
CC: Jeremy Harris
Temat: Re: [exim] a question about auth_client_item()
Hi, Jeremy

> 172 for (int i = 0; i < len; i++)
>
> If len is less than i, the loop exits. No call to memmove.
>


Consider this, ss is '^^^^'.

First loop: len = 4, i = 0, memmove will get called. ss is '^^^^'.

Second loop: len = 3, i = 2, ss[i+1](ss[3]) is still '^', so before
memmove, i = 3, and len = 2. The third param of memmove would be
(size_t)-1.

Same thing happens when ss is '^^aaaaaaaaaaaaaaaaaaa^'.

First loop: after memmove, ss is '^aaaaaaaaaaaaaaaaaaa^^'.
Last loop: ss[i] is the first '^' after 'a', ss[i+1](ss[len]) is the last '^'.
    memmove gets called then.


The issue is that the code assumes ss[len] is always 0. However, when memmove
gets called and the original ss[len-1] = '^', after that, the new len,
ss[len-1] = ss[len] = '^'.

When i = len-1, ss[i] and ss[i+1] are '^', len would be less than i when call
memmove.