DELAYED DELETE and very long mailboxes => segfault
Bron Gondwana
brong at fastmail.fm
Fri Feb 6 08:41:59 EST 2009
This is a fun one... the delayed delete path has a buffer of
MAX_MAILBOX_PATH rather than MAX_MAILBOX_NAME size. Meaning
it can be longer than a basic mailbox.
Which is actually fine by me. Does anyone know why the limit
of 490 was chosen? I can't see anything obvious with a quick
google.
Unfortunately, this crashes idle sending, which uses a straight
strcpy of the passed mailbox name onto a MAX_MAILBOX_NAME
sized buffer.
Anyway, I've worked up a patch (on github, of course) which
creates a 1024 character size MAX_MAILBOX_BUFFER, and uses
that everywhere that a buffer is created.
Plus this little one, which I will apply to CVS immediately,
since it's a clear bugfix.
Bron.
-------------- next part --------------
diff --git a/imap/idle.c b/imap/idle.c
index 78c6ddf..cffdd56 100644
--- a/imap/idle.c
+++ b/imap/idle.c
@@ -85,7 +85,7 @@ static int idle_send_msg(int msg, const char *mboxname)
/* fill the structure */
idledata.msg = msg;
idledata.pid = getpid();
- strcpy(idledata.mboxname, mboxname ? mboxname : ".");
+ strncpy(idledata.mboxname, mboxname ? mboxname : ".", sizeof(idledata.mboxname));
/* send */
if (sendto(notify_sock, (void *) &idledata,
More information about the Cyrus-devel
mailing list