diff options
| author | Matthias Andree <matthias.andree@gmx.de> | 2020-03-29 00:38:37 +0100 |
|---|---|---|
| committer | Matthias Andree <matthias.andree@gmx.de> | 2020-03-29 00:49:40 +0100 |
| commit | d9cfb9960dd1f39861e592d5eef4589810f2cb48 (patch) | |
| tree | f5697db99d98ae3765709441af067fc9ccdee2e1 | |
| parent | e9f7a61890f9ecf6eb20490f6f9936dc6c9ea250 (diff) | |
| download | fetchmail-d9cfb9960dd1f39861e592d5eef4589810f2cb48.tar.gz fetchmail-d9cfb9960dd1f39861e592d5eef4589810f2cb48.tar.bz2 fetchmail-d9cfb9960dd1f39861e592d5eef4589810f2cb48.zip | |
Fix garbage at end of plugin string with %h and/or %p
Commit 418cda65 from merge request !5 fixed an input buffer overrun but at the
same time caused the terminating NUL byte in the output buffer to be written
too late, 2 bytes per placeholder.
Fix the size calculation for correctness, and use the output index
and not the output length to terminate the output string.
Fixes #16, reported by Stefan Thurner. [All references for Gitlab.]
| -rw-r--r-- | NEWS | 10 | ||||
| -rw-r--r-- | socket.c | 5 |
2 files changed, 13 insertions, 2 deletions
@@ -65,6 +65,16 @@ removed from a 6.5.0 or newer release.) -------------------------------------------------------------------------------- +fetchmail-6.4.3 (WIP) + +## BUGFIX: +* fetchmail terminated the placeholder command string too late and included + garbage from the heap at the end of the string. Workaround: don't use place- + holders %h or %p in the --plugin string. Bug added in 6.4.0 when merging + Gitlab merge request !5 in order to fix an input buffer overrun. + Faulty commit 418cda65f752e367fa663fd13884a45fcbc39ddd. + Reported by Stefan Thurner. + fetchmail-6.4.2 (released 2020-02-14, 27473 LoC): ## BREAKING CHANGES: @@ -104,7 +104,8 @@ static char *const *parse_plugin(const char *plugin, const char *host, const cha p = c; } - plugin_copy_len = plugin_len + host_len * host_count + service_len * service_count; + /* we need to discount 2 bytes for each placeholder */ + plugin_copy_len = plugin_len + (host_len - 2) * host_count + (service_len - 2) * service_count; plugin_copy = (char *)malloc(plugin_copy_len + 1); if (!plugin_copy) { @@ -129,7 +130,7 @@ static char *const *parse_plugin(const char *plugin, const char *host, const cha plugin_copy_offset++; } } - plugin_copy[plugin_copy_len] = 0; + plugin_copy[plugin_copy_offset] = 0; /* XXX FIXME - is this perhaps a bit too simplistic to chop down the argument strings without any respect to quoting? * better write a generic function that tracks arguments instead... */ |