From 206e749fc33982847124b3714c2749f80e3b9407 Mon Sep 17 00:00:00 2001
From: "Eric S. Raymond" <esr@thyrsus.com>
Date: Mon, 22 Sep 1997 20:25:34 +0000
Subject: Prevent buffer overruns.

svn path=/trunk/; revision=1384
---
 NEWS        |  1 -
 driver.c    |  7 ++++---
 fetchmail.h |  2 +-
 rfc822.c    | 15 +++++++++++++--
 4 files changed, 18 insertions(+), 7 deletions(-)

diff --git a/NEWS b/NEWS
index d4f24f94..2eebe8b5 100644
--- a/NEWS
+++ b/NEWS
@@ -15,7 +15,6 @@
 
 ------------------------------------------------------------------------------
 fetchmail-4.2.5 ()
-* Alexander Kourakos corrected his patch to avoid a buffer overrun.
 * Greg Stark's patch for better autoconfiguration on mixed libc5/libc6 systems.
 * We no longer mess with CFLAGS/LDFLAGS to get Kerberos support linked.
 
diff --git a/driver.c b/driver.c
index 04b6683b..79a95b64 100644
--- a/driver.c
+++ b/driver.c
@@ -562,8 +562,9 @@ int num;		/* index of message */
 	    }
 
 	    set_timeout(ctl->server.timeout);
-	    /* leave extra room for reply_hack to play with */
-	    line = (char *) realloc(line, strlen(line) + strlen(buf) + HOSTLEN + 1);
+
+	    line = (char *) realloc(line, strlen(line) + strlen(buf) +1);
+
 	    strcat(line, buf);
 	    if (line[0] == '\r' && line[1] == '\n')
 		break;
@@ -671,7 +672,7 @@ int num;		/* index of message */
 	}
 
 	if (ctl->rewrite)
-	    reply_hack(line, realname);
+	    line = reply_hack(line, realname);
 
 	if (!headers)
 	{
diff --git a/fetchmail.h b/fetchmail.h
index 376c5f83..f9de3d20 100644
--- a/fetchmail.h
+++ b/fetchmail.h
@@ -237,7 +237,7 @@ int gen_transact ();
 #endif
 
 /* rfc822.c: RFC822 header parsing */
-void reply_hack(char *, const char *);
+char *reply_hack(char *, const char *);
 char *nxtaddr(const char *);
 
 /* uid.c: UID support */
diff --git a/rfc822.c b/rfc822.c
index 5e9e2da5..14187bde 100644
--- a/rfc822.c
+++ b/rfc822.c
@@ -20,13 +20,14 @@
 static int verbose;
 #endif /* TESTMAIN */
 
-void reply_hack(buf, host)
+char *reply_hack(buf, host)
 /* hack message headers so replies will work properly */
 char *buf;		/* header to be hacked */
 const char *host;	/* server hostname */
 {
     char *from, *cp;
     int parendepth, state, has_bare_name_part, has_host_part;
+    int addresscount = 1;
 
     if (strncasecmp("From: ", buf, 6)
 	&& strncasecmp("To: ", buf, 4)
@@ -34,9 +35,17 @@ const char *host;	/* server hostname */
 	&& strncasecmp("Return-Path: ", buf, 13)
 	&& strncasecmp("Cc: ", buf, 4)
 	&& strncasecmp("Bcc: ", buf, 5)) {
-	return;
+	return(buf);
     }
 
+#ifndef TESTMAIN
+    /* make room to hack the address; buf must be malloced */
+    for (cp = buf; *cp; cp++)
+	if (*cp == ',' || isspace(*cp))
+	    addresscount++;
+    buf = (char *)realloc(buf, strlen(buf) + addresscount * strlen(host) + 1);
+#endif /* TESTMAIN */
+
     parendepth = state = 0;
     has_host_part = has_bare_name_part = FALSE;
     for (from = buf; *from; from++)
@@ -130,6 +139,8 @@ const char *host;	/* server hostname */
 	  has_host_part = has_bare_name_part = FALSE;
 	}
     }
+
+    return(buf);
 }
 
 char *nxtaddr(hdr)
-- 
cgit v1.2.3