[tin-dev] LIST COUNT and '-Q' or '-nqd'

Urs Janßen urs at tin.org
Wed Jan 27 23:51:43 CET 2016


In <mailman.420.1451843988.23414.tin-dev at tin.org>, I wrote:
> --- src/active.c        2015-11-22 00:46:22 +0000
> +++ src/active.c        2016-01-03 17:10:01 +0000
> @@ -316,7 +316,7 @@
>         int window = 0;
>         t_artnum count = T_ARTNUM_CONST(-1), min = T_ARTNUM_CONST(1), max = T_ARTNUM_CONST(0);
>         t_artnum processed = T_ARTNUM_CONST(0);
> -       static char ngname[NNTP_STRLEN]; /* RFC 3977 3.1 limits group names to 497 octets */
> +       static char ngname[NNTP_GRPLEN + 1]; /* RFC 3977 3.1 limits group names to 497 octets */
>         struct t_group *grpptr;

the patch below should fix the possible buffer overflow created with
the patch above.

=== modified file 'src/active.c'
--- src/active.c	2016-01-21 22:31:24 +0000
+++ src/active.c	2016-01-27 22:44:39 +0000
@@ -405,7 +405,7 @@
 						{
 							char fmt[25];
 
-							snprintf(fmt, sizeof(fmt), "%%"T_ARTNUM_SFMT" %%"T_ARTNUM_SFMT" %%"T_ARTNUM_SFMT" %%%ds", NNTP_STRLEN - 1);
+							snprintf(fmt, sizeof(fmt), "%%"T_ARTNUM_SFMT" %%"T_ARTNUM_SFMT" %%"T_ARTNUM_SFMT" %%%ds", NNTP_GRPLEN);
 							if (sscanf(line, fmt, &count, &min, &max, ngname) != 4) {
 								error_message(2, _(txt_error_invalid_response_to_group), line);
 #	ifdef DEBUG








More information about the tin-dev mailing list