bugs in spool_copy_message()
Philip Chambers
P.A.Chambers at exeter.ac.uk
Wed Oct 27 12:23:39 EDT 2004
I have just found two flaws in the code which takes a message into cyrus (typically
during the DATA phase of LMTP. I am amazed that one has existed for so long.
It means that messages with a line longer that 8190 bytes will be rejected with the
error "Message contains NUL characters". (Confirmed in testing.)
The code is in spool_copy_message() in spool.c (used to be in copy_message() in
lmtpengine.c.
The problems are in the loop: while(prot_fgets(...)).
The code after "else if (p[0] == '\r')" ignores the case of a long line which
contains \r\0 within it when it is the \0 which fills the buffer. The code will
fail to notice the \0.
More importantly, a line longer than 8190 characters will be picked up by the else
statement (else if (p[0] != '\n') and treated as if it has a \0 in it even though it
does not!
I am about to work out a fix but, given the importance of this code, I need to spend
a lot of time making sure I do not introduce a new bug.
As I said, I find it hard to believe that cyrus has been unable to handle long lines
for so long!
Phil.
---------------------------------------
Phil Chambers (postmaster at exeter.ac.uk)
University of Exeter
---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
More information about the Info-cyrus
mailing list