Hello all,
i've detected two bugs of mine and want to report they're fixed
and cherry-picked onto the *master* branch.
The plain diffs are also attached below and may be patched into
S-nail 14.2 (small offset, but will succeed).
. The first bug is a possible buffer overflow in a snprintf(3)
statement that may happen when displaying a mail.
In short -- we yet did not reserve any space for printing two
integers but assumed that the numbers would well fit into the 16
format characters that disappear during the snprintf(3).
This is not true when the second bug hitted though, since then
UINT64_MAX (may) happen(s), and that is 18446744073709551615.
. The second one is a partial reverse of (Tweak MIME boundary
detection.., 2012-12-20), or, to be exact, we'll use the
original if() condition again (but adjusted to new codeflow).
A Microsoft Word-created mail on the ICU list revealed
a weakness in the boundary code that caused some boundary to
be missed. (We _want_ the single-pass MIME part parser...)
Ugly, ugly=E2=80=A6 but i don't think this is worth a maintenance release,
not at last because i don't know of any packaged S-nail.
I would encourage you to update your *master* branch and rebuild,
though. The fixes will be included in the next regular minor
version of S-nail, most likely at the end of this summer.
Ciao, and sorry for the inconvenience!
--steffen
diff --git a/send.c b/send.c
index 3a60004..cb88a60 100644
--- a/send.c
+++ b/send.c
@@ -136,15 +136,16 @@ _parsemultipart(struct message *zmp, struct mimepart *ip, enum parseflags pf,
offs = ftell(ibuf);
newpart(ip, &np, offs, NULL);
while (fgetline(&line, &linesize, &count, &linelen, ibuf, 0)) {
- if ((lines == 0 || part > 0) && (linelen <= boundlen ||
- strncmp(line, boundary, boundlen) != 0)) {
+ /* XXX linelen includes LF */
+ if (! ((lines > 0 || part == 0) && linelen > boundlen &&
+ memcmp(line, boundary, boundlen) == 0)) {
++lines;
continue;
}
/* Subpart boundary? */
if (line[boundlen] == '\n') {
offs = ftell(ibuf);
- if (part != 0) {
+ if (part > 0) {
endpart(&np, offs - boundlen - 2, lines);
newpart(ip, &np, offs - boundlen - 2, NULL);
}
@@ -222,13 +223,20 @@ _print_part_info(struct str *out, struct mimepart *mip,
if ((ps = mip->m_partstring) == NULL || ps[0] == '\0')
ps = "?";
+ /*
+ * Assume maximum possible sizes for 64 bit integers here to avoid any
+ * buffer overflows just in case we have a bug somewhere and / or the
+ * snprintf() is our internal version that doesn't really provide hard
+ * buffer cuts
+ */
#define __msg "%s[-- #%s : %lu/%lu%s%s --]\n"
- out->l = sizeof(__msg) + strlen(ps) + ct.l + cd.l + 1;
+ out->l = sizeof(__msg) + strlen(ps) + 2*21 + ct.l + cd.l + 1;
out->s = salloc(out->l);
out->l = snprintf(out->s, out->l, __msg,
(level || (ps[0] != '1' && ps[1] == '\0')) ? "\n" : "",
ps, (ul_it)mip->m_lines, (ul_it)mip->m_size,
(ct.s != NULL ? ct.s : ""), (cd.s != NULL ? cd.s : ""));
+ out->s[out->l] = '\0';
#undef __msg
if (cd.s != NULL)
------------------------------------------------------------------------------
Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET
Get 100% visibility into your production application - at no cost.
Code-level diagnostics for performance bottlenecks with <2% overhead
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap1
_______________________________________________
nail-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/nail-devel
