Path: utzoo!mnetor!uunet!husc6!rutgers!iuvax!ndmath!dean
From: dean@ndmath.UUCP (Dean Alvis)
Newsgroups: news.software.b
Subject: Re: Strange Core Dumps
Message-ID: <545@ndmath.UUCP>
Date: 19 Dec 87 23:05:25 GMT
References: <2122@crash.cts.com> <7961@princeton.Princeton.EDU> <3618@hoptoad.uucp>
Organization: Math. Dept., Univ. of Notre Dame
Lines: 26
Summary: That's it!

In article <3618@hoptoad.uucp>, gnu@hoptoad.uucp (John Gilmore) writes:
> [...]
> It occurs to me that if somehow a string like this was passed to "printf"
> or maybe "scanf", the big number after the % might cause havoc, like an
> [...]

The problem is the call to log() near the end of broadcast() in ifuncs.c. In
broadcast(), the Message-ID string is copied into sentbuf, then the names of
systems the article is sent to are appended. When leaving broadcast(), the
line "log(sentbuf)" is s'posed to record a "sent to" line in the log file.
However, the first argument to log() is a format string (if I remember
correctly), so the "%" confuses the fprintf (?) in log(). This explains why
the articles were successfully sent, but no "sent to" line was recorded.

As a test, I sent one of the offending articles through rnews, with its
original header, and the same problem occured. After the Message-ID line
was fixed (ie.the "%" removed), it was sent through rnews again, and no
problem occured.

Perhaps one fix would be to use "log("%s",sentbuf)" - I can't claim to have
tried this yet, though.

dean
-- 
dean@ndmath.UUCP
Dean Alvis, Math. Dept., Univ. of Notre Dame, Notre Dame IN, 46556