From owner-freebsd-bugs  Thu Oct 15 15:00:18 1998
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id PAA14125
          for freebsd-bugs-outgoing; Thu, 15 Oct 1998 15:00:18 -0700 (PDT)
          (envelope-from owner-freebsd-bugs@FreeBSD.ORG)
Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id PAA14042
          for <freebsd-bugs@FreeBSD.org>; Thu, 15 Oct 1998 15:00:06 -0700 (PDT)
          (envelope-from gnats@FreeBSD.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.8.8/8.8.5) id PAA25298;
	Thu, 15 Oct 1998 15:00:01 -0700 (PDT)
Received: from dt053nb4.san.rr.com (dt053nb4.san.rr.com [204.210.34.180])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id OAA13070
          for <FreeBSD-gnats-submit@freebsd.org>; Thu, 15 Oct 1998 14:53:03 -0700 (PDT)
          (envelope-from dougdougdougdoug@dt053nb4.san.rr.com)
Received: (from dougdougdougdoug@localhost)
	by dt053nb4.san.rr.com (8.8.8/8.8.8) id VAA01700;
	Thu, 15 Oct 1998 21:52:44 GMT
	(envelope-from dougdougdougdoug)
Message-Id: <199810152152.VAA01700@dt053nb4.san.rr.com>
Date: Thu, 15 Oct 1998 21:52:44 GMT
From: Studded@gorean.org
Reply-To: Studded@gorean.org
To: FreeBSD-gnats-submit@FreeBSD.ORG
X-Send-Pr-Version: 3.2
Subject: bin/8339: [PATCH - MFC] for 'mail'
Sender: owner-freebsd-bugs@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org


>Number:         8339
>Category:       bin
>Synopsis:       [PATCH - MFC] for 'mail'
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:
>Keywords:
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Oct 15 15:00:01 PDT 1998
>Last-Modified:
>Originator:     Doug
>Organization:
AAAG
>Release:        FreeBSD 2.2.7-STABLE-1015 i386
>Environment:

	Any 2.x system. 

>Description:

	The 'mail' program contains some overflowable arrays that lead to the
dreaded, "mail in free(): warning: junk pointer, too high to make sense" warnings. 

>How-To-Repeat:

	Any use of 'mail' with a username, $TMPDIR, etc. which overflows the buffers
causes the error. 

>Fix:
	
	Apply the following patch. This is a cvs diff between -Stable and -Current.
The only thing I'm leaving out is the changes from vfork() -> fork() in cmd2.c and
popen.c because they cause the junk pointer error again, and the whole fork/vfork
thing is a -Current'ism. For the record, the changes in these patches are not my
work, I'm just the tackle dummy. :)

Thanks,

Doug

Index: collect.c
===================================================================
RCS file: /home/ncvs/src/usr.bin/mail/collect.c,v
retrieving revision 1.1.1.1.8.1
retrieving revision 1.4
diff -u -r1.1.1.1.8.1 -r1.4
--- collect.c	1998/03/08 09:46:35	1.1.1.1.8.1
+++ collect.c	1998/10/10 09:58:20	1.4
@@ -77,7 +77,7 @@
 	int lc, cc, escape, eofcount;
 	register int c, t;
 	char linebuf[LINESIZE], *cp;
-	extern char tempMail[];
+	extern char *tempMail;
 	char getsub;
 	int omask;
 	void collint(), collhup(), collstop();
@@ -472,7 +472,7 @@
 {
 	FILE *nf;
 	sig_t sigint = signal(SIGINT, SIG_IGN);
-	extern char tempEdit[];
+	extern char *tempEdit;
 	char *shell;
 
 	if ((nf = Fopen(tempEdit, "w+")) == NULL) {
@@ -521,7 +521,7 @@
 	int f;
 {
 	register int *msgvec;
-	extern char tempMail[];
+	extern char *tempMail;
 	struct ignoretab *ig;
 	char *tabst;
 
Index: edit.c
===================================================================
RCS file: /home/ncvs/src/usr.bin/mail/edit.c,v
retrieving revision 1.1.1.1
retrieving revision 1.2
diff -u -r1.1.1.1 -r1.2
--- edit.c	1994/05/27 12:32:06	1.1.1.1
+++ edit.c	1998/10/10 09:58:20	1.2
@@ -148,7 +148,7 @@
 	time_t modtime;
 	char *edit;
 	struct stat statb;
-	extern char tempEdit[];
+	extern char *tempEdit;
 
 	if ((t = creat(tempEdit, readonly ? 0400 : 0600)) < 0) {
 		perror(tempEdit);
Index: lex.c
===================================================================
RCS file: /home/ncvs/src/usr.bin/mail/lex.c,v
retrieving revision 1.2.2.1
retrieving revision 1.5
diff -u -r1.2.2.1 -r1.5
--- lex.c	1998/03/08 09:46:49	1.2.2.1
+++ lex.c	1998/10/10 18:37:02	1.5
@@ -64,7 +64,7 @@
 	char isedit = *name != '%';
 	char *who = name[1] ? name + 1 : myname;
 	static int shudclob;
-	extern char tempMesg[];
+	extern char *tempMesg;
 	extern int errno;
 
 	if ((name = expand(name)) == NOSTR)
Index: names.c
===================================================================
RCS file: /home/ncvs/src/usr.bin/mail/names.c,v
retrieving revision 1.2.6.1
retrieving revision 1.4
diff -u -r1.2.6.1 -r1.4
--- names.c	1998/03/08 09:47:02	1.2.6.1
+++ names.c	1998/10/10 09:58:20	1.4
@@ -223,7 +223,7 @@
 	char *date, *fname, *ctime();
 	FILE *fout, *fin;
 	int ispipe;
-	extern char tempEdit[];
+	extern char *tempEdit;
 
 	top = names;
 	np = names;
Index: quit.c
===================================================================
RCS file: /home/ncvs/src/usr.bin/mail/quit.c,v
retrieving revision 1.1.1.1
retrieving revision 1.2
diff -u -r1.1.1.1 -r1.2
--- quit.c	1994/05/27 12:32:07	1.1.1.1
+++ quit.c	1998/10/10 09:58:20	1.2
@@ -72,7 +72,7 @@
 	FILE *ibuf, *obuf, *fbuf, *rbuf, *readstat, *abuf;
 	register struct message *mp;
 	register int c;
-	extern char tempQuit[], tempResid[];
+	extern char *tempQuit, *tempResid;
 	struct stat minfo;
 	char *mbox;
 
Index: send.c
===================================================================
RCS file: /home/ncvs/src/usr.bin/mail/send.c,v
retrieving revision 1.2.6.1
retrieving revision 1.5
diff -u -r1.2.6.1 -r1.5
--- send.c	1998/03/08 09:47:07	1.2.6.1
+++ send.c	1998/10/10 09:58:20	1.5
@@ -428,7 +428,7 @@
 	struct header *hp;
 	FILE *fi;
 {
-	extern char tempMail[];
+	extern char *tempMail;
 	register FILE *nfo, *nfi;
 	register int c;
 
Index: temp.c
===================================================================
RCS file: /home/ncvs/src/usr.bin/mail/temp.c,v
retrieving revision 1.2.6.1
retrieving revision 1.5
diff -u -r1.2.6.1 -r1.5
--- temp.c	1997/07/28 06:43:49	1.2.6.1
+++ temp.c	1998/10/10 19:01:47	1.5
@@ -49,11 +49,11 @@
  * Give names to all the temporary files that we will need.
  */
 
-char	tempMail[24];
-char	tempQuit[24];
-char	tempEdit[24];
-char	tempResid[24];
-char	tempMesg[24];
+char	*tempMail;
+char	*tempQuit;
+char	*tempEdit;
+char	*tempResid;
+char	*tempMesg;
 char	*tmpdir;
 
 void
@@ -67,21 +67,31 @@
 	else {
 		len = strlen(tmpdir);
 		if ((cp = malloc(len + 2)) == NULL)
-			err(1, NULL);
+			panic("Out of memory");
 		(void)strcpy(cp, tmpdir);
 		cp[len] = '/';
 		cp[len + 1] = '\0';
 		tmpdir = cp;
 	}
-
+	len = strlen(tmpdir);
+	if ((tempMail = malloc(len + sizeof("RsXXXXXX"))) == NULL)
+		panic("Out of memory");
 	strcpy(tempMail, tmpdir);
 	mktemp(strcat(tempMail, "RsXXXXXX"));
+	if ((tempResid = malloc(len + sizeof("RqXXXXXX"))) == NULL)
+		panic("Out of memory");
 	strcpy(tempResid, tmpdir);
 	mktemp(strcat(tempResid, "RqXXXXXX"));
+	if ((tempQuit = malloc(len + sizeof("RmXXXXXX"))) == NULL)
+		panic("Out of memory");
 	strcpy(tempQuit, tmpdir);
 	mktemp(strcat(tempQuit, "RmXXXXXX"));
+	if ((tempEdit = malloc(len + sizeof("ReXXXXXX"))) == NULL)
+		panic("Out of memory");
 	strcpy(tempEdit, tmpdir);
 	mktemp(strcat(tempEdit, "ReXXXXXX"));
+	if ((tempMesg = malloc(len + sizeof("RxXXXXXX"))) == NULL)
+		panic("Out of memory");
 	strcpy(tempMesg, tmpdir);
 	mktemp(strcat(tempMesg, "RxXXXXXX"));

>Audit-Trail:
>Unformatted:

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message