Xref: utzoo comp.bugs.4bsd:1209 comp.mail.sendmail:542
Path: utzoo!utgpu!jarvis.csri.toronto.edu!mailrus!tut.cis.ohio-state.edu!bloom-beacon!mit-eddie!bu-cs!dartvax!eleazar.dartmouth.edu!steve
From: steve@eleazar.dartmouth.edu (Steve Campbell)
Newsgroups: comp.bugs.4bsd,comp.mail.sendmail
Subject: Long headers cause sendmail loop (5.59, 5.61) +FIX
Message-ID: <12274@dartvax.Dartmouth.EDU>
Date: 17 Feb 89 21:04:22 GMT
Sender: news@dartvax.Dartmouth.EDU
Reply-To: steve@eleazar.dartmouth.edu (Steve Campbell)
Followup-To: comp.bugs.4bsd
Organization: Dartmouth College, Hanover, NH
Lines: 38

Subject: Long headers cause sendmail loop (5.59, 5.61) +FIX
Index:	usr.lib/sendmail/src/util.c 4.3BSD

Description:
	Sendmail will loop in sfgets if you feed it a message with a
	header (often the To:) that exceeds sendmail's 2500 byte
	MAXFIELD limit.  The reason is that collect() calls sfgets()
	(at line 124 in collect.c) with a length argument that varies,
	and when the header exceeds 2500 bytes, that argument goes
	negative, causing a loop in sfgets.
Repeat-By:
	Feed sendmail a message with enough recipients to exceed 2500
	bytes.  This can happen when the original recipients' addresses
	are "user" but get rewritten to "user@domain".
Fix:
	The complete fix is to make collect() more intelligent about
	handling long headers.  Would someone like to step forward?
	A damage-control fix is to make sfgets check its length arg.
	Here are patches for 5.61.  

*** /tmp/,RCSt1013479	Wed Feb 15 14:44:23 1989
--- util.c	Wed Feb 15 13:05:00 1989
***************
*** 582,587 ****
--- 582,594 ----
  	register char *p;
  	extern readtimeout();
  
+ 	/* check for reasonable siz arg */
+ 	if (siz < 1)
+ 	{
+ 		buf[0] = '\0';
+ 		return (NULL);
+ 	}
+ 
  	/* set the timeout */
  	if (ReadTimeout != 0)
  	{