david@elroy.jpl.nasa.gov (David Robinson) (09/04/90)
Subject: 4.3T UUCP core dumps on bad control files Index: usr.bin 4.3BSD-tahoe Description: If there exists a UUCP control with less than 5 options uucico will attempt to dereference a NULL pointer through W_OPTNS (wrkvec[4]). This is caused by an attempt to set the mailopt and ntfyopt before the array wrkvec is checked for a valid size. Repeat-By: Create a file in the C. uucp subdirectory of the form: S D.junkBBe42 D.junkSBe42 S D.junkXBe40 X.junkdBe43 Run uucico on a machine that does not allow dereferencing NULL pointers (aka Sun) and see a SEGV in the call to index(). Fix: *** cntrl.c-dist Mon Oct 17 08:18:17 1988 --- cntrl.c Wed Aug 22 15:02:34 1990 *************** *** 191,199 **** logent(rqstr, "REQUEST"); goto sendmsg; } - mailopt = index(W_OPTNS, 'm') != NULL; - ntfyopt = index(W_OPTNS, 'n') != NULL; - if (narg < 5 || W_TYPE[1] != '\0') { char *bnp; bnp = rindex(Wfile, '/'); --- 191,196 ---- *************** *** 204,209 **** --- 201,209 ---- Wfile[0] = '\0'; goto top; } + mailopt = index(W_OPTNS, 'm') != NULL; + ntfyopt = index(W_OPTNS, 'n') != NULL; + sprintf(User, "%.9s", W_USER); sprintf(rqstr, "(%s %s %s %s)", W_TYPE, W_FILE1, W_FILE2, W_USER); -- David Robinson david@elroy.jpl.nasa.gov {decwrl,usc,ames}!elroy!david Disclaimer: No one listens to me anyway! "Once a new technology rolls over you, if you're not part of the steamroller, you're part of the road." - Stewart Brand