Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP Path: utzoo!utgpu!water!watnot!watmath!clyde!rutgers!seismo!mcvax!ace!konijn From: konijn@ace.UUCP Newsgroups: comp.bugs.4bsd Subject: inc(1) dumps core + fix Message-ID: <247@ace.UUCP> Date: Tue, 24-Mar-87 13:12:57 EST Article-I.D.: ace.247 Posted: Tue Mar 24 13:12:57 1987 Date-Received: Fri, 27-Mar-87 01:01:17 EST Sender: henk@ace.UUCP Reply-To: konijn@ace.UUCP (Erik van Konijnenburg) Distribution: world Organization: ACE Associated Computer Experts bv, Amsterdam Lines: 78 Index: /usr/src/new/mh/sbr/m_getfld.c Description: The MH package as distributed on the Florence EUUG tape and with BSD 4.3 was tuned for speed on a vax. It shows. The routine matchc() is written both in vax assembler and C code. The C version can find a match even after the end of the string to be searched. This means inc(1) can copy a chunk of data too large to fit the output buffer, corrupting the malloc(3) administration. Repeat-By: Receive a message with lots of "\nFro" strings in it, hope for a specific constellation of buffer and message sizes and watch inc(1) drop core. Fix: Apply the following diff to ~mh/sbr/m_getfld.c for a new implementation of matchc(). *** m_getfld.c Fri Mar 20 15:59:20 1987 --- /tmp/1 Fri Mar 20 16:47:35 1987 *************** *** 579,605 **** register int strln; register char *str; { ! register char *s; ! register char *p; ! register int pcnt; ! register char pfirst; ! strln -= patln; ! patln --; ! pfirst = *pat++; ! while (strln-- >= 0) { ! s = str; ! if (*s++ == pfirst) { ! p = pat; ! pcnt = patln; ! do { ! if (pcnt-- == 0) ! return str; ! } while (*p++ == *s++); ! } ! str++; } - return 0; } #endif --- 579,601 ---- register int strln; register char *str; { ! register char *pp; ! register int pl; ! register char pc = *pat++; ! for(;;) { ! while (pc != *str++ && --strln > 0) ! ; ! if (strln < 0) ! return 0; ! ! pp = pat; pl = patln; ! while (--pl > 0 && *str++ == *pp++) ! ; ! str += (pl - patln); ! if (pl == 0) ! return (str); } } #endif --------- Erik van Konijnenburg, , ...!mcvax!ace!konijn, ACE Associated Computer Experts bv, Amsterdam, the Netherlands