bugs in spool_copy_message()

Philip Chambers P.A.Chambers at exeter.ac.uk
Wed Oct 27 12:23:39 EDT 2004


I have just found two flaws in the code which takes a message into cyrus (typically 
during the DATA phase of LMTP.  I am amazed that one has existed for so long.

It means that messages with a line longer that 8190 bytes will be rejected with the 
error "Message contains NUL characters".  (Confirmed in testing.)

The code is in spool_copy_message() in spool.c (used to be in copy_message() in 
lmtpengine.c.

The problems are in the loop: while(prot_fgets(...)).

The code after "else if (p[0] == '\r')" ignores the case of a long line which 
contains \r\0 within it when it is the \0 which fills the buffer.  The code will 
fail to notice the \0.

More importantly, a line longer than 8190 characters will be picked up by the else 
statement (else if (p[0] != '\n') and treated as if it has a \0 in it even though it 
does not!

I am about to work out a fix but, given the importance of this code, I need to spend 
a lot of time making sure I do not introduce a new bug.

As I said, I find it hard to believe that cyrus has been unable to handle long lines 
for so long!

Phil.
---------------------------------------
Phil Chambers (postmaster at exeter.ac.uk)
University of Exeter

---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html




More information about the Info-cyrus mailing list