Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Path: utzoo!utgpu!water!watmath!onfcanim!dave
From: dave@onfcanim.UUCP
Newsgroups: comp.bugs.4bsd
Subject: /bin/mail trashes its stack
Message-ID: <15447@onfcanim.UUCP>
Date: Fri, 30-Oct-87 10:59:47 EST
Article-I.D.: onfcanim.15447
Posted: Fri Oct 30 10:59:47 1987
Date-Received: Sat, 31-Oct-87 12:19:46 EST
Organization: National Film Board / Office national du film, Montreal
Lines: 82


Subject: /bin/mail overflows buffer, trashes stack  +fix
Index:	bin/mail.c 4.3BSD

Description:
	Sendmail uses /bin/mail to deliver local mail, passing it the
	return address in the arg list.  Mail then copies it into a
	100-byte buffer without checking for overflow.  Long return
	addresses trash the stack, producing a variety of potential
	behaviours.  Here, a particular address caused it to go into
	an infinite loop.

Repeat-By:
	Try /bin/mail -r <very long address, say 150 bytes> <yourname>

Fix:
	Make "truename" a pointer, since it doesn't seem to need a copy
	of the string.

*** mail.old	Fri Oct 30 10:29:51 1987
--- mail.c	Fri Oct 30 10:55:27 1987
***************
*** 418,424 ****
  bulkmail(argc, argv)
  char **argv;
  {
! 	char truename[100];
  	int first;
  	register char *cp;
  	int gaver = 0;
--- 418,424 ----
  bulkmail(argc, argv)
  char **argv;
  {
! 	char *truename;
  	int first;
  	register char *cp;
  	int gaver = 0;
***************
*** 448,454 ****
  		exit(EX_UNAVAILABLE);
  	}
  
- 	truename[0] = 0;
  	line[0] = '\0';
  
  	/*
--- 448,453 ----
***************
*** 464,470 ****
  			if (argc <= 1)
  				usage();
  			gaver++;
! 			strcpy(truename, argv[1]);
  			fgets(line, LSIZE, stdin);
  			if (strcmpn("From", line, 4) == 0)
  				line[0] = '\0';
--- 463,469 ----
  			if (argc <= 1)
  				usage();
  			gaver++;
! 			truename = argv[1];
  			fgets(line, LSIZE, stdin);
  			if (strcmpn("From", line, 4) == 0)
  				line[0] = '\0';
***************
*** 490,496 ****
  	if (argc <= 1)
  		usage();
  	if (gaver == 0)
! 		strcpy(truename, my_name);
  	time(&iop);
  	fprintf(tmpf, "%s%s %s", from, truename, ctime(&iop));
  	iop = ftell(tmpf);
--- 489,495 ----
  	if (argc <= 1)
  		usage();
  	if (gaver == 0)
! 		truename = my_name;
  	time(&iop);
  	fprintf(tmpf, "%s%s %s", from, truename, ctime(&iop));
  	iop = ftell(tmpf);