[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
some code issues
From: |
Nico Golde |
Subject: |
some code issues |
Date: |
Sat, 5 Jan 2008 18:59:08 +0100 |
Hi,
I had a quick look at the pop.c code today and found some
issues.
In pop_stat:
365 if (strncmp (fromserver, "+OK ", 4))
366 {
367 if (0 == strncmp (fromserver, "-ERR", 4))
368 {
369 strncpy (pop_error, fromserver, ERROR_MAX);
370 }
371 else
372 {
373 strcpy (pop_error,
374 >··· "Unexpected response from POP server in pop_stat");
375 pop_trash (server);
376 }
377 return (-1);
378 }
380 *count = atoi (&fromserver[4]);
381
382 fromserver = index (&fromserver[4], ' ');
383 if (! fromserver)
384 {
385 strcpy (pop_error,
386 >··· "Badly formatted response from server in pop_stat");
387 pop_trash (server);
388 return (-1);
389 }
If I don't miss anything the atoi call in 380 is not save as it is not
save because it is not ensure that &fromserver[4] is not NULL. A crafted
pop3 server could thus crash emacs. This is of course not a real issue but
wouldn't be nice. Same for the pop_last function.
In pop_list:
440
441 *IDs = (int *) malloc ((how_many + 1) * sizeof (int));
442 *sizes = (int *) malloc ((how_many + 1) * sizeof (int));
443 if (! (*IDs && *sizes))
444 {
445 strcpy (pop_error, "Out of memory in pop_list");
446 return (-1);
447 }
448
in 441 and 442 there should be some check for how_many to prevent an integer
overflow here.
Same problem for the xnew macro in etags.c
What do you think about this?
Kind regards
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
pgpimXSrWVLHF.pgp
Description: PGP signature
- some code issues,
Nico Golde <=