>Number:         15000
>Category:       bin
>Synopsis:       mail(1) doesn't reposition pointer correctly
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    bin-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Tue Dec 18 14:29:00 PST 2001
>Closed-Date:
>Last-Modified:
>Originator:     Mike Heffner
>Release:        N/A
>Organization:
>Environment:
N/A
>Description:
While merging the NetBSD changes into the FreeBSD version of mail(1),
I found that there is a bug in which the 'dot' pointer can become corrupt.
In fio.c::makemessage() the 'dot' pointer is reset for a malloc() operation,
but if realloc() is called, and the buffer is moved in memory, the dot pointer
will point to a stale buffer. Further operations using the dot variable will
fail.
>How-To-Repeat:
Noticed when using 'set autoinc' and receiving mail while mail(1) is running
in interactive mode. Various operations would fail with negative message
numbers.
>Fix:
This patch directly fixes the problem:

--- fio.c.orig  Tue Dec 18 01:23:20 2001
+++ fio.c       Tue Dec 18 01:24:08 2001
@@ -284,10 +284,12 @@
        size_t size = (msgCount + 1) * sizeof(struct message);

        if (omsgCount) {
+               int dotoff = message != NULL ? dot - message : 0;
                message = (struct message *)realloc(message, size);
                if (message == 0)
                        errx(1, "Insufficient memory for %d messages\n",
                            msgCount);
+               dot = &message[dotoff];
        } else {
                if (message != 0)
                        (void)free(message);


or, the following patch by Todd Miller cleans up the whole function to
be simpler:

http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/mail/fio.c.diff?r1=1.20&r2=1.21


>Release-Note:
>Audit-Trail:
>Unformatted: