pkg/38986: fetchmail-SA-2008-01: Crash on large log messages in verbose mode

To: pkg-manager%netbsd.org@localhost,gnats-admin%netbsd.org@localhost,pkgsrc-bugs%netbsd.org@localhost
Subject: pkg/38986: fetchmail-SA-2008-01: Crash on large log messages in verbose mode
From: dogan%politics.ankara.edu.tr@localhost
Date: Thu, 19 Jun 2008 12:05:00 +0000 (UTC)

>Number:         38986
>Category:       pkg
>Synopsis:       fetchmail-SA-2008-01: Crash on large log messages in verbose 
>mode
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    pkg-manager
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Thu Jun 19 12:05:00 +0000 2008
>Originator:     Mustafa Dogan
>Release:        NetBSD-4_STABLE
>Organization:
Ankara University, Faculty of Political Sciences
>Environment:
NetBSD md.politics.ankara.edu.tr 4.0_STABLE NetBSD 4.0_STABLE (MuDo) #0: Wed 
Jun 11 09:26:48 EEST 2008  
root%md.politics.ankara.edu.tr@localhost:/root/OBJ/sys/arch/i386/compile/MuDo 
i386
>Description:
From http://fetchmail.berlios.de/fetchmail-SA-2008-01.txt:
"Gunter Nau reported fetchmail crashing on some messages; further
debugging by Petr Uzel and Petr Cerny at Novell/SUSE Czech Republic
dug up that this happened when fetchmail was trying to print, in -v -v
verbose level, headers exceeding 2048 bytes. In this situation,
fetchmail would resize the buffer and fill in further parts of the
message, but forget to reinitialize its va_list typed source pointer,
thus reading data from a garbage address found on the stack at
addresses above the function arguments the caller passed in; usually
that would be the caller's stack frame."
>How-To-Repeat:

>Fix:
From http://fetchmail.berlios.de/fetchmail-SA-2008-01.txt:

diff --git a/report.c b/report.c
index 31d4e48..2a731ac 100644
- --- a/report.c
+++ b/report.c
@@ -238,11 +238,17 @@ report_build (FILE *errfp, message, va_alist)
     rep_ensuresize();

 #if defined(VA_START)
- -    VA_START (args, message);
     for ( ; ; )
     {
+       /*
+        * args has to be initialized before every call of vsnprintf(),
+        * because vsnprintf() invokes va_arg macro and thus args is
+        * undefined after the call.
+        */
+       VA_START(args, message);
        n = vsnprintf (partial_message + partial_message_size_used, 
partial_message_size - partial_message_size_used,
                       message, args);
+       va_end (args);

        if (n >= 0
            && (unsigned)n < partial_message_size - partial_message_size_used)
@@ -254,7 +260,6 @@ report_build (FILE *errfp, message, va_alist)
        partial_message_size += 2048;
        partial_message = REALLOC (partial_message, partial_message_size);
     }
- -    va_end (args);
 #else
     for ( ; ; )
     {

Prev by Date: Re: pkg/33357
Next by Date: Re: pkg/38986 (fetchmail-SA-2008-01: Crash on large log messages in verbose mode)
Previous by Thread: Re: pkg/33357
Next by Thread: Re: pkg/38986 (fetchmail-SA-2008-01: Crash on large log messages in verbose mode)
Indexes:

Home | Main Index | Thread Index | Old Index