Bugtraq mailing list archives
Re: [lucid () TERRA NEBULA ORG: qpop3.0b20 and below - notes and exploit]
From: rhialto () POLDER UBC KUN NL (Olaf Seibert)
Date: Mon, 20 Dec 1999 12:46:45 +0100
On Fri 17 Dec 1999 at 13:08:38 -0000, Maurycy Prodeus wrote:
In pop_euidl() in file pop_uidl.c (qpop-2.53) : } else { sprintf(buffer, "%d %s", msg_id, mp->uidl_str); if (nl = index(buffer, NEWLINE)) *nl = 0; sprintf(buffer, "%s %d %.128s", buffer, mp->length, from_hdr(p,mp));
This is a wrong way to append text to a buffer anyway... if that's indeed the intention. Strictly speaking from a C standards viewpoint, this function call (probably) has undefined behaviour because one object (the buffer) is both being used and modified between sequence points, practically speaking is is quite possible that the action of copying the buffer to itself might never finish because the terminating \0 is overwritten by something before it is seen to terminate the string... I would suggest something like sprintf(buffer + strlen(buffer), " %d %.128s", mp->length, from_hdr(p,mp)); -Olaf. -- ___ Olaf 'Rhialto' Seibert - rhialto () polder ubc. -- If one tells the truth, \X/ .kun.nl -- one is sure, sooner or later, to be found out. (Oscar Wilde)
Current thread:
- Re: [lucid () TERRA NEBULA ORG: qpop3.0b20 and below - notes and exploit] Qpopper Support (Dec 01)
- Re: [lucid () TERRA NEBULA ORG: qpop3.0b20 and below - notes and exploit] Richard Trott (Dec 16)
- Windows NT LSA Remote Denial of Service NAI Labs (Dec 16)
- Re: Windows NT LSA Remote Denial of Service Jordan Ritter (Dec 16)
- <Possible follow-ups>
- Re: [lucid () TERRA NEBULA ORG: qpop3.0b20 and below - notes and exploit] Qpopper Support (Dec 16)
- Re: [lucid () TERRA NEBULA ORG: qpop3.0b20 and below - notes and exploit] Maurycy Prodeus (Dec 17)
- Re: [lucid () TERRA NEBULA ORG: qpop3.0b20 and below - notes and exploit] Olaf Seibert (Dec 20)