Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Posting-Version: version B 2.10.1 6/24/83; site pur-phy.UUCP
Path: utzoo!watmath!clyde!burl!ulysses!mhuxl!ihnp4!inuxc!pur-ee!CS-Mordred!Pucc-H:Physics:crl
From: crl@pur-phy.UUCP (Charles LaBrec)
Newsgroups: net.news.b
Subject: Expire infinite loop bug fixed
Message-ID: <1205@pur-phy.UUCP>
Date: Tue, 14-Feb-84 15:39:17 EST
Article-I.D.: pur-phy.1205
Posted: Tue Feb 14 15:39:17 1984
Date-Received: Fri, 17-Feb-84 03:57:27 EST
Organization: Purdue University Physics Dept.
Lines: 100
Last week, we had the same problem with expire, so I dug into the
sources and fixed it. Since it seems stable, I'll hand it out.
The problem is in the subroutine frmread(). The way unrecognized
headers in a message is handled is that an array of pointers is
kept that pointso them. When a message header is parsed, this array
is zeroed and unrecognized headers are malloc'ed when they are seen.
Unfortunately, the return from malloc is not checked, and is immediately
used in a strcpy to copy the header into the space (thus a copy into
address 0 on an 11). Furthermore, the array is never free()'ed, so
11's run out of space real quick. It seems as if more unrecognized
headers are coming in (I see quite a few with notesfile specific
information) so the problem has only recently reared its ugly head.
The diff is below.
Charles LaBrec
UUCP: pur-ee!Physics:crl, purdue!Physics:crl
INTERNET: crl @ pur-phy.UUCP
*** /tmp/#RCSt1008875 Tue Feb 14 15:28:51 1984
--- /tmp/#RCSt2008875 Tue Feb 14 15:29:10 1984
***************
*** 1,5
/*
* header.c - header functions plus some other goodies
*/
static char *SccsId = "@(#)header.c 2.20 6/24/83";
--- 1,29 -----
/*
* header.c - header functions plus some other goodies
+ *
+ * $Log: /src/usrbin/news/src/RCS/header.c,v $
+ * Revision 2.20.1.6 84/02/08 20:52:45 crl
+ * The malloc() of unrecognized headers was not checked for success.
+ * The above malloc()'ed space is never freed.
*/
static char *SccsId = "@(#)header.c 2.20 6/24/83";
***************
*** 122,128
int hdrlineno = 0;
int iu;
! for (iu=0; iuunrec[iu] = NULL;
i = type(bfr);
--- 146,154 -----
int hdrlineno = 0;
int iu;
! for (iu=0; iuunrec[iu] != NULL)
! free(hp->unrec[iu]);
hp->unrec[iu] = NULL;
}
***************
*** 124,129
for (iu=0; iuunrec[iu] = NULL;
i = type(bfr);
do {
--- 150,156 -----
if (hp->unrec[iu] != NULL)
free(hp->unrec[iu]);
hp->unrec[iu] = NULL;
+ }
i = type(bfr);
do {
***************
*** 210,218
break;
case OTHER:
if (unreccnt < NUNREC) {
! hp->unrec[unreccnt] = malloc(strlen(bfr) + 1);
! strcpy(hp->unrec[unreccnt], bfr);
! unreccnt++;
}
break;
}
--- 237,246 -----
break;
case OTHER:
if (unreccnt < NUNREC) {
! if ((hp->unrec[unreccnt] = malloc(strlen(bfr) + 1)) != NULL) {
! strcpy(hp->unrec[unreccnt], bfr);
! unreccnt++;
! }
}
break;
}