dccifd stabilty issues with 1.2.74

Vernon Schryver vjs@calcite.rhyolite.com
Wed Mar 30 19:32:21 UTC 2005


> From: Kelsey Cummings 


> Vernon - it seems to be one particular spam that is causing the problems
> for me.  It has a long hostname in a URL - 113 chars in the form of
>
> a[83]YN8Ag48fGByN8841GG.baranto.com
>
> That is, 83 'a's followed by 'YN8Ag48fGByN8841GG.baranto.com'
>
> This is an illegal domain name - perhaps there are some missing sanity
> checks somewhere?

Yes, as I think I wrote yesterday, I found that HTML mail with a first
very long host name in a URL followed by any other URL will crash any
of the DCC clients.  The problem is that I messed up in trimming the
buffer of parts of URLs that is included in the FUZ2 checksum.  I think
this is an old bug.

However, Cami at mweb.co.za has reported a stack trace that points to
something completely different.

The bug I found has a stack trace that mentions memmove() out of
decode_sum() in dcclib/ckbody.c.  Enclosed is patch that seems to
fix it.  The bug is painfully obvious.

(Later I will check the log files you sent to see what they do.)


> It's also using the same string as the multi-part boundry.

That is a new wrinkle.  It should not matter, but I guess I should try it.


Vernon Schryver    vjs@rhyolite.com



RCS file: RCS/ckfuz2.c,v
retrieving revision 1.39
diff -c -r1.39 ckfuz2.c
*** ckfuz2.c    2005/03/22 23:57:26     1.39
--- ckfuz2.c    2005/03/30 19:29:11
***************
*** 439,451 ****
                                        break;
                                case DCC_CK_URL_CK_LEN:
                                        /* Make room if we are too close to
!                                        * end of buffer for maximum size URL */
                                        while (FZ2.url_cp
                                               >= &FZ2.url_buf[ISZ(FZ2.url_buf)
                                                        - DCC_FUZ2_URL_MAX]) {
                                            p = memchr(FZ2.url_buf, '\0',
                                                       FZ2.url_cp-FZ2.url_buf);
!                                           ++p;
                                            memmove(FZ2.url_buf, p,
                                                    FZ2.url_cp - p);
                                            FZ2.url_cp -= p - FZ2.url_buf;
--- 439,460 ----
                                        break;
                                case DCC_CK_URL_CK_LEN:
                                        /* Make room if we are too close to
!                                        * end of buffer for a maximum size URL.
!                                        * Discard the first URL in the buffer.
!                                        * This relies on dcc_ck_url() limiting
!                                        * the URL to DCC_URL_MAX bytes */
                                        while (FZ2.url_cp
                                               >= &FZ2.url_buf[ISZ(FZ2.url_buf)
                                                        - DCC_FUZ2_URL_MAX]) {
                                            p = memchr(FZ2.url_buf, '\0',
                                                       FZ2.url_cp-FZ2.url_buf);
!                                           if (!p) {
!                                               /* if this was the first URL,
!                                                * discard half of it */
!                                               p = &FZ2.url_buf[DCC_URL_MAX/2];
!                                           } else {
!                                               ++p;
!                                           }
                                            memmove(FZ2.url_buf, p,
                                                    FZ2.url_cp - p);
                                            FZ2.url_cp -= p - FZ2.url_buf;




More information about the DCC mailing list

Contact vjs@rhyolite.com by mail or use the form.