Path: utzoo!mnetor!uunet!epiwrl!epimass!jbuck From: jbuck@epimass.EPI.COM (Joe Buck) Newsgroups: news.software.b Subject: Bug found! (was: Strange Core Dumps) Message-ID: <1729@epimass.EPI.COM> Date: 13 Dec 87 23:29:22 GMT References: <2122@crash.cts.com> <7961@princeton.Princeton.EDU> <3618@hoptoad.uucp> Reply-To: jbuck@epimass.EPI.COM (Joe Buck) Organization: Entropic Processing, Inc., Cupertino, CA Lines: 37 Summary: Message-IDs with a % character may be fatal to inews In article <3618@hoptoad.uucp> gnu@hoptoad.uucp (John Gilmore) writes: >pep@princeton.Princeton.EDU (Pat Parseghian) wrote: >> - The offending articles are the only ones in my history file with a "%" in a >> Message-ID. >> - One of the articles () has a References line >> that is not a valid Message-ID (to the best of my understanding). > >It occurs to me that if somehow a string like this was passed to "printf" >or maybe "scanf", the big number after the % might cause havoc, like an >attempt to malloc() a large amount of memory. With John's posting as a clue, I looked for unprotected printf calls, and I believe I've found it. In the broadcast function in file ifuncs.c, there appears the call log (sentbuf); "sentbuf" is a string formed by strcat calls; the result is a line in your /usr/lib/news/log file like Dec 13 13:08 ucat <2224@dasys1.UUCP> sent to epiwrl, frs, csi The first argument to "log" is a printf format string. It contains the message-ID. So any message-ID with a % is potentially fatal to inews. Solution: change this call, and any others, to never give a first argument to log or logerr unless it's certain there's no % in it. Meanwhile, it might be a good idea for those people whose message IDs contain a % to change them, since it'll take a while to get this bug fixed everywhere. This is even though it's a perfectly legal Mesage-ID according to the standard. -- - Joe Buck {uunet,ucbvax,sun,decwrl,}!epimass.epi.com!jbuck Old internet mailers: jbuck%epimass.epi.com@uunet.uu.net