From: David Eisner (cradle@glue.umd.edu)
Date: Wed Apr 11 2001 - 15:51:32 CDT
Hi. I've been looking at the CVS version of hypermail, and
in the process of trying to track down a bug, I ran the code
through Purify. I found an unitialized memory read in
the latest version (1.3) of getname.c. I don't think it's critical,
but I thought I'd point it out.
The actual read error occurs on line 277, in the getname() function:
277 if (name[i-1] == ' ' && *c == '<' || *c == '(')
278 name[--i] = '\0';
279 else
280 name[i] = '\0';
The problem is that the variable i can be zero here, causing a read
of name[ -1 ].
This case is triggered when the From line looks like this:
"From: <foo@bar.com>\n"
With this input, the first if-clause at line 176 is satisfied:
170 /*
171 * NAME Processing - Boy are there a bunch of funky formats here.
172 * No promises... I'll do my best. Let me know
173 * what I missed...
174 */
175
176 if (strchr(line, '<')) {
177 c = strchr(line, ':') + 1;
178 while (*c == ' ' || *c == '\t')
179 c++;
...
Then the last case of the nested-if (line 205) is satisfied:
205 else if (*c == '<') { /* Comment may be on the end */
206 /* From: <bill@celestial.com> Bill Campbell */
207 c = strchr(line, '>') + 1;
208 for (i = 0, len = NAMESTRLEN - 1; *c && *c != '\n' && i < len;
209 c++)
210 name[i++] = *c;
211
212 comment_fnd = 1;
213 }
Since the next character after the '>' in the From line is a newline,
the body of the for-loop isn't executed, and i is zero. Then, comment_fnd
is set to 1.
You'll see that the next line that gets executed is 277, and i is still
zero.
I don't have a patch, because I've just started looking at the code,
and this function is pretty hairy. Hope this helps, though.
-David
-----------------------------------------------------
David Eisner | E-mail: cradle@eng.umd.edu |
CALCE EPSC | Phone: 301-405-5341 |
University of Maryland | Fax: 301-314-9269 |
-----------------------------------------------------