DELAYED DELETE and very long mailboxes => segfault

Bron Gondwana brong at
Fri Feb 6 08:41:59 EST 2009

This is a fun one... the delayed delete path has a buffer of
MAX_MAILBOX_PATH rather than MAX_MAILBOX_NAME size.  Meaning
it can be longer than a basic mailbox.

Which is actually fine by me.  Does anyone know why the limit
of 490 was chosen?  I can't see anything obvious with a quick

Unfortunately, this crashes idle sending, which uses a straight
strcpy of the passed mailbox name onto a MAX_MAILBOX_NAME
sized buffer.

Anyway, I've worked up a patch (on github, of course) which
creates a 1024 character size MAX_MAILBOX_BUFFER, and uses
that everywhere that a buffer is created.

Plus this little one, which I will apply to CVS immediately,
since it's a clear bugfix.

-------------- next part --------------
diff --git a/imap/idle.c b/imap/idle.c
index 78c6ddf..cffdd56 100644
--- a/imap/idle.c
+++ b/imap/idle.c
@@ -85,7 +85,7 @@ static int idle_send_msg(int msg, const char *mboxname)
     /* fill the structure */
     idledata.msg = msg; = getpid();
-    strcpy(idledata.mboxname, mboxname ? mboxname : ".");
+    strncpy(idledata.mboxname, mboxname ? mboxname : ".", sizeof(idledata.mboxname));
     /* send */
     if (sendto(notify_sock, (void *) &idledata,

More information about the Cyrus-devel mailing list