[Raw Msg Headers][Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

mailbox process growong - found (i think)



I think that I found the cause of mailbox processes infinitely growing,
at least one case.

In transports/libta/maimeheaders.c around line 802 there is a call:
	s = skip_822linearcomments(s);
this function skips blank, tab, newline and rfc822 comments in
parentheses.

Several lines below, there is a call:
	p = skip_822linearcomments(s);
and then
	s = skip_mimetoken(p);
skip_mimetoken is in fact _skip_822atom()

Now imagine what happens if after a semicolon there is a character that
is neither blank, tab or newline but is distinguished as delimiter by
_skip_822atom()?  Right, 's' pointer will not advance!  The thing that
it pints to will be distinguished as "unknown attribute" around line
840 and put into newly allocated chunk of memory.  And again, and again.

In my case, I had mail with carriage return '\r' after semicolon.  Once
I added '\r' to the "if" operator in line 616 message passed.  But this
is not a general solution.  Proper fix must guarantee that "s" pointer
would advance under any circumstances.

Eugene
--
Eugene Crosser, dep. head of Internet Applications dept., +7 501 787 1000
"Russia-On-Line", Teleross, Golden Telecom, http://www.online.ru/~crosser/