Re: [lucid () TERRA NEBULA ORG: qpop3.0b20 and below - notes and exploit]

[rhialto () POLDER UBC KUN NL (Olaf Seibert)]

On Fri 17 Dec 1999 at 13:08:38 -0000, Maurycy Prodeus wrote:
> In pop_euidl() in file pop_uidl.c (qpop-2.53) :
>
>     } else {
>
>         sprintf(buffer, "%d %s", msg_id, mp->uidl_str);
>         if (nl = index(buffer, NEWLINE)) *nl = 0;
>         sprintf(buffer, "%s %d %.128s", buffer, mp->length, from_hdr(p,mp));

This is a wrong way to append text to a buffer anyway... if that's
indeed the intention. Strictly speaking from a C standards viewpoint,
this function call (probably) has undefined behaviour because one object
(the buffer) is both being used and modified between sequence points,
practically speaking is is quite possible that the action of copying the
buffer to itself might never finish because the terminating \0 is
overwritten by something before it is seen to terminate the string...

I would suggest something like

    sprintf(buffer + strlen(buffer), " %d %.128s",  mp->length, from_hdr(p,mp));

-Olaf.

--
___ Olaf 'Rhialto' Seibert - rhialto () polder ubc.     -- If one tells the truth,
\X/ .kun.nl     -- one is sure, sooner or later, to be found out. (Oscar Wilde)