The following reply was made to PR bin/34658; it has been noted by GNATS.

From: Christian Biere <christianbiere@gmx.de>
To: gnats-bugs@NetBSD.org
Cc: 
Subject: Re: bin/34658: [dM] identd truncates queries to first segment
Date: Fri, 29 Sep 2006 18:11:56 +0200

 der Mouse wrote:
 >  >> +		if ((n = recv(fd, &buf[qlen], sizeof(buf)-qlen, 0)) < 0) {
 >  
 >  >  This looks like asking for a buffer overflow to me.  There's no
 >  >  protection that prevents qlen to exceed "sizeof buf".
 >  
 >  For that to happen, recv() would have to return a value greater than
 >  its third argument.
 
 No, "sizeof(buf)-qlen" becomes negative but the 3rd argument of
 recv() has type size_t which means it is promoted to a huge unsigned
 integer value.
 
 >  +	while (1) {
 >  +		if (qlen >= sizeof(buf)) {
 >  +			/* buf filled - ridiculously large query */
 
 The buffer is only 4 KiB large, it doesn't take much too let it
 overflow.
 
 -- 
 Christian