[10710] in bugtraq
ipop2d buffer overflow fix
daemon@ATHENA.MIT.EDU (dumped)
Thu Jun 3 17:17:18 1999
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.LNX.4.05.9906031727570.249-100000@dumped.x.com>
Date: Thu, 3 Jun 1999 17:29:05 -0300
Reply-To: dumped <dumped@SEKURE.ORG>
From: dumped <dumped@SEKURE.ORG>
X-To: MRC@CAC.Washington.EDU
To: BUGTRAQ@NETSPACE.ORG
This patch fixes the buffer overflow previously pointed by Thiago.
diff -Nur imap-4.4.orig/src/ipopd/ipop2d.c imap-4.4/src/ipopd/ipop2d.c
--- imap-4.4.orig/src/ipopd/ipop2d.c Thu Jun 3 18:35:15 1999
+++ imap-4.4/src/ipopd/ipop2d.c Thu Jun 3 18:37:02 1999
@@ -10,7 +10,10 @@
* Internet: MRC@CAC.Washington.EDU
*
* Date: 28 October 1990
- * Last Edited: 13 July 1998
+ * Last Edited: 3 June 1999
+ *
+ * dumped (dumped@sekure.org) 3/Jun/99 :
+ * fixed a buffer overflow in c_fold()
*
* Copyright 1998 by the University of Washington
*
@@ -306,7 +309,8 @@
/* don't permit proxy to leave IMAP */
if (stream && stream->mailbox && (s = strchr (stream->mailbox,'}'))) {
strncpy (tmp,stream->mailbox,i = (++s - stream->mailbox));
- strcpy (tmp+i,t); /* append mailbox to initial spec */
+ strncpy (tmp+i,t,sizeof(tmp) - strlen(stream->mailbox));
+ /* append mailbox to initial spec */
t = tmp;
}
/* open mailbox, note # of messages */
