[Raw Msg Headers][Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

router coredump in logit()


the code of logit() function around router.c:570 is incorrect.
It tries to cut down the "from" string if it is too long, but
if the "id" string is too long, it happens that baselen is
bigger that strlen(from)+MAXSAFESIZE, and offset in the line
574 "c = *(from+MAXSAFESIZE-baselen);" is negative.  This causes

This happend when someone put a junk in the Message-ID header:
Message-ID: .........................something
Zmailer converted every dot into the text "(illegal something blah-blah)"
and "id" became longer than 1Kb.