[net.news.b] Expire infinite loop bug fixed

crl@pur-phy.UUCP (Charles LaBrec) (02/14/84)

Last week, we had the same problem with expire, so I dug into the 
sources and fixed it.  Since it seems stable, I'll hand it out.
The problem is in the subroutine frmread().  The way unrecognized
headers in a message is handled is that an array of pointers is
kept that pointso them.  When a message header is parsed, this array
is zeroed and unrecognized headers are malloc'ed when they are seen.
Unfortunately, the return from malloc is not checked, and is immediately
used in a strcpy to copy the header into the space (thus a copy into
address 0 on an 11).  Furthermore, the array is never free()'ed, so
11's run out of space real quick.  It seems as if more unrecognized
headers are coming in (I see quite a few with notesfile specific
information) so the problem has only recently reared its ugly head.

The diff is below.

Charles LaBrec
UUCP:		pur-ee!Physics:crl, purdue!Physics:crl
INTERNET:	crl @ pur-phy.UUCP

*** /tmp/#RCSt1008875	Tue Feb 14 15:28:51 1984
--- /tmp/#RCSt2008875	Tue Feb 14 15:29:10 1984
***************
*** 1,5
  /*
   * header.c - header functions plus some other goodies
   */
  
  static char	*SccsId = "@(#)header.c	2.20	6/24/83";

--- 1,29 -----
  /*
   * header.c - header functions plus some other goodies
+  *
+  * $Log:	/src/usrbin/news/src/RCS/header.c,v $
+  * Revision 2.20.1.6  84/02/08  20:52:45  crl
+  * The malloc() of unrecognized headers was not checked for success.
+  * 	The above malloc()'ed space is never freed.
   */
  
  static char	*SccsId = "@(#)header.c	2.20	6/24/83";
***************
*** 122,128
  	int hdrlineno = 0;
  	int iu;
  
! 	for (iu=0; iu<NUNREC; iu++)
  		hp->unrec[iu] = NULL;
  
  	i = type(bfr);

--- 146,154 -----
  	int hdrlineno = 0;
  	int iu;
  
! 	for (iu=0; iu<NUNREC; iu++) {
! 		if (hp->unrec[iu] != NULL)
! 			free(hp->unrec[iu]);
  		hp->unrec[iu] = NULL;
  	}
  
***************
*** 124,129
  
  	for (iu=0; iu<NUNREC; iu++)
  		hp->unrec[iu] = NULL;
  
  	i = type(bfr);
  	do {

--- 150,156 -----
  		if (hp->unrec[iu] != NULL)
  			free(hp->unrec[iu]);
  		hp->unrec[iu] = NULL;
+ 	}
  
  	i = type(bfr);
  	do {
***************
*** 210,218
  			break;
  		case OTHER:
  			if (unreccnt < NUNREC) {
! 				hp->unrec[unreccnt] = malloc(strlen(bfr) + 1);
! 				strcpy(hp->unrec[unreccnt], bfr);
! 				unreccnt++;
  			}
  			break;
  		}

--- 237,246 -----
  			break;
  		case OTHER:
  			if (unreccnt < NUNREC) {
! 				if ((hp->unrec[unreccnt] = malloc(strlen(bfr) + 1)) != NULL) {
! 					strcpy(hp->unrec[unreccnt], bfr);
! 					unreccnt++;
! 				}
  			}
  			break;
  		}