Date: Sun, 28 Jun 1998 14:28:21 -0600
From: "Aaron D. Gifford" <[email protected]>
To: [email protected]Subject: Re: And another qpopper overflow (does this make 3?)
Sorry,
I misread Miquel's post. This was the overrun Miquel already mentioned.
However, limiting the UIDL to 128 in length does not completely fix it, since
a huge From: header could still cause an overrun. Either way, I think the
solution is to limit uidl_str size AND reduce the size of the buffer in the
from_hdr() function from pop_uidl.c (as well as make the buffer static -- it
sure seems to me like it should be).
Here's what I chose to do instead of truncating uidl_str to 128 in
pop_dropcopy.c:
*** work/qpopper2.41beta1/pop_dropcopy.c Sun Jun 28 12:58:14 1998
--- work2/qpopper2.41beta1/pop_dropcopy.c Sun Jun 28 13:07:47 1998
*************** POP *p;
*** 489,495 ****
/* Skip over header string */
cp = &buffer[7];
while (*cp && (*cp == ' ' || *cp == '\t')) cp++;
! if(strlen(cp) < DIG_SIZE) /* To account for the empty
UIDL string */
{
uidl_found--; /*roll over as though it hasn't seen
anything*/
continue;
--- 489,501 ----
/* Skip over header string */
cp = &buffer[7];
while (*cp && (*cp == ' ' || *cp == '\t')) cp++;
! /*
! * The UIDL digest SHOULD be approx. 32 chars long,
! * so reject/skip any X-UIDL: lines that don't fit
! * this profile. A new X-UIDL: line will be created
! * for any messages that don't have a valid one.
! */
! if(strlen(cp) < DIG_SIZE || strlen(cp) > DIG_SIZE * 3)
{
uidl_found--; /*roll over as though it hasn't seen
anything*/
continue;
And then to fix the possibility of a From: header overrunning things in
pop_uidl.c during an EUIDL command from the POP client:
*** work/qpopper2.41beta1/pop_uidl.c Wed Nov 19 14:20:38 1997
--- work2/qpopper2.41beta1/pop_uidl.c Sun Jun 28 13:09:56 1998
*************** from_hdr(p, mp)
*** 101,107 ****
POP *p;
MsgInfoList *mp;
{
! char buf[MAXLINELEN], *cp;
fseek(p->drop, mp->offset, 0);
while (fgets(buf, sizeof(buf), p->drop) != NULL) {
--- 101,112 ----
POP *p;
MsgInfoList *mp;
{
! /*
! * Shorten this buffer so that an extra-long From: header
! * won't overflow the buffers in the pop_euidl() where
! * this function is called. 128 should be sufficient.
! */
! static char buf[MAXLINELEN - 128], *cp;
fseek(p->drop, mp->offset, 0);
while (fgets(buf, sizeof(buf), p->drop) != NULL) {
Aaron out.