From owner-freebsd-bugs Thu May 6 22:50: 5 1999 Delivered-To: freebsd-bugs@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (Postfix) with ESMTP id 2F8411531D for ; Thu, 6 May 1999 22:50:02 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.9.3/8.9.2) id WAA13638; Thu, 6 May 1999 22:50:02 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Date: Thu, 6 May 1999 22:50:02 -0700 (PDT) Message-Id: <199905070550.WAA13638@freefall.freebsd.org> To: freebsd-bugs@FreeBSD.org Cc: From: Peter Jeremy Subject: Re: bin/11552: sendmail local delivery (mail.local) can't handle long lines Reply-To: Peter Jeremy Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org The following reply was made to PR bin/11552; it has been noted by GNATS. From: Peter Jeremy To: freebsd-gnats-submit@FreeBSD.ORG, sendmail-bugs@sendmail.ORG Cc: Subject: Re: bin/11552: sendmail local delivery (mail.local) can't handle long lines Date: Fri, 7 May 1999 15:42:09 +1000 A slight correction to my previous problem: The bug appears to be a buffer size discrepancy between sendmail and mail.local. When using LMTP, sendmail chops its input into 2047-byte `lines' (ie it probably does fgets() into a 2048-byte buffer, though I can't quickly find the code). To send as LMTP, it appends a CR and LF. Additionally, if the input line begins with a `.' it prepends another `.'. Thus the worst-case LMTP line written by sendmail is 2050 bytes. mail.local reads input into a 2048 character buffer using fgets(), therefore it reads a maximum of 2047-bytes at once. In the worst case, this means that the 2050-byte line written by sendmail will be read as a 2047 byte line (with no terminating newline), followed by a 3 byte line. If these 3 bytes are `.' CR LF (ie the 2050-byte line sent by sendmail ended with a `.'), then mail.local sees it as the end of input. The problem will therefore occur when sendmail reads input of the form `.' (2045 characters) `.', where the first `.' is either at the beginning of the line, or on a 2047-byte boundary. Since SMTP has a line-length restriction of 1024 characters, any mail transferred via SMTP will have already been chopped into 1024 character segments, preventing this bug being triggered (though a similar bug could possibly occur). This being the case, a better patch would be to increase the size of `line' in mail.local.c:store() from 2048 to 2051 (or more) bytes. Peter To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message