crl@pur-phy.UUCP (Charles LaBrec) (02/14/84)
Last week, we had the same problem with expire, so I dug into the sources and fixed it. Since it seems stable, I'll hand it out. The problem is in the subroutine frmread(). The way unrecognized headers in a message is handled is that an array of pointers is kept that pointso them. When a message header is parsed, this array is zeroed and unrecognized headers are malloc'ed when they are seen. Unfortunately, the return from malloc is not checked, and is immediately used in a strcpy to copy the header into the space (thus a copy into address 0 on an 11). Furthermore, the array is never free()'ed, so 11's run out of space real quick. It seems as if more unrecognized headers are coming in (I see quite a few with notesfile specific information) so the problem has only recently reared its ugly head. The diff is below. Charles LaBrec UUCP: pur-ee!Physics:crl, purdue!Physics:crl INTERNET: crl @ pur-phy.UUCP *** /tmp/#RCSt1008875 Tue Feb 14 15:28:51 1984 --- /tmp/#RCSt2008875 Tue Feb 14 15:29:10 1984 *************** *** 1,5 /* * header.c - header functions plus some other goodies */ static char *SccsId = "@(#)header.c 2.20 6/24/83"; --- 1,29 ----- /* * header.c - header functions plus some other goodies + * + * $Log: /src/usrbin/news/src/RCS/header.c,v $ + * Revision 2.20.1.6 84/02/08 20:52:45 crl + * The malloc() of unrecognized headers was not checked for success. + * The above malloc()'ed space is never freed. */ static char *SccsId = "@(#)header.c 2.20 6/24/83"; *************** *** 122,128 int hdrlineno = 0; int iu; ! for (iu=0; iu<NUNREC; iu++) hp->unrec[iu] = NULL; i = type(bfr); --- 146,154 ----- int hdrlineno = 0; int iu; ! for (iu=0; iu<NUNREC; iu++) { ! if (hp->unrec[iu] != NULL) ! free(hp->unrec[iu]); hp->unrec[iu] = NULL; } *************** *** 124,129 for (iu=0; iu<NUNREC; iu++) hp->unrec[iu] = NULL; i = type(bfr); do { --- 150,156 ----- if (hp->unrec[iu] != NULL) free(hp->unrec[iu]); hp->unrec[iu] = NULL; + } i = type(bfr); do { *************** *** 210,218 break; case OTHER: if (unreccnt < NUNREC) { ! hp->unrec[unreccnt] = malloc(strlen(bfr) + 1); ! strcpy(hp->unrec[unreccnt], bfr); ! unreccnt++; } break; } --- 237,246 ----- break; case OTHER: if (unreccnt < NUNREC) { ! if ((hp->unrec[unreccnt] = malloc(strlen(bfr) + 1)) != NULL) { ! strcpy(hp->unrec[unreccnt], bfr); ! unreccnt++; ! } } break; }