Bug in POP3 code



	Hi all,
I'm trying to help Ali a bit. I found this bug in POP3 code : in
libbalsa/pop3.c

static PopStatus
fetch_pop_mail (const gchar *pop_host, const gchar *pop_user,
		const gchar *pop_pass, gint pop_port,
		gboolean use_apop, gboolean delete_on_server,
		gchar * last_uid, ProgressCallback prog_cb,
		ProcessCallback proccb, const gchar *data)
{
    char buffer[2048];
    char uid[80];
    int s, msgs, bytes, first_msg;
    PopStatus status = POP_OK;

    g_return_val_if_fail(pop_host, POP_HOST_NOT_FOUND);
    g_return_val_if_fail(pop_user, POP_AUTH_FAILED);


    DM("POP3 - begin connection");
    status = pop_connect(&s, pop_host, pop_port);
    DM("POP3 Connected; hello");

   if(status == POP_OK)
	status = pop_auth(s, pop_user, pop_pass, use_apop);

    DM("POP3 authentication %s successful", (status ==POP_OK ? "" :
"NOT"));
    if(status == POP_OK)
	status = pop_get_stats(s, &first_msg, &msgs, &bytes,  
			       delete_on_server ? NULL : uid, last_uid);
    DM("POP3 status after get stats: %d", status);
    if(status == POP_OK)
	status = proccb(s, first_msg, msgs, bytes, delete_on_server, 
			data, prog_cb);
    
    if(status != POP_CONN_ERR) {
	DM("POP3 C: quit");
	/* exit gracefully */
Bug---->write (s, "quit\r\n", 6);
	getLine (s, buffer, sizeof (buffer)); /* snarf the response */
	if(status == POP_OK)
	    strcpy(last_uid, uid);/* FIXME: overflow error on hideous
reply? */
    }
    close (s);

    return status;
}

the bug happens when the pop_connect fails and gives another status than
POP_CONN_ERR and has not set *s (this happens when pop_connect returns
POP_HOST_NOT_FOUND, when HAVE_GETADDRINFO is defined). So you end up
writing with an uninitialized var "s" as file descriptor.
I don't know what we should do (I think we just have to be more selective
on when we send a "quit" command to the POP3 server).
I'll go on nailing down bugs on this code.
Bye
Manu




[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]