[13018] in bugtraq
Re: [lucid@TERRA.NEBULA.ORG: qpop3.0b20 and below - notes and
daemon@ATHENA.MIT.EDU (Olaf Seibert)
Mon Dec 20 11:54:16 1999
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-Id: <19991220124645.A3811@polder.ubc.kun.nl>
Date: Mon, 20 Dec 1999 12:46:45 +0100
Reply-To: Olaf Seibert <rhialto@POLDER.UBC.KUN.NL>
From: Olaf Seibert <rhialto@POLDER.UBC.KUN.NL>
X-To: Maurycy Prodeus <z33d@TENET.PL>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <19991217130838.5137.qmail@tenet.pl>
On Fri 17 Dec 1999 at 13:08:38 -0000, Maurycy Prodeus wrote:
> In pop_euidl() in file pop_uidl.c (qpop-2.53) :
>
> } else {
>
> sprintf(buffer, "%d %s", msg_id, mp->uidl_str);
> if (nl = index(buffer, NEWLINE)) *nl = 0;
> sprintf(buffer, "%s %d %.128s", buffer, mp->length, from_hdr(p,mp));
This is a wrong way to append text to a buffer anyway... if that's
indeed the intention. Strictly speaking from a C standards viewpoint,
this function call (probably) has undefined behaviour because one object
(the buffer) is both being used and modified between sequence points,
practically speaking is is quite possible that the action of copying the
buffer to itself might never finish because the terminating \0 is
overwritten by something before it is seen to terminate the string...
I would suggest something like
sprintf(buffer + strlen(buffer), " %d %.128s", mp->length, from_hdr(p,mp));
-Olaf.
--
___ Olaf 'Rhialto' Seibert - rhialto@polder.ubc. -- If one tells the truth,
\X/ .kun.nl -- one is sure, sooner or later, to be found out. (Oscar Wilde)
