> While I don't profess to be the keeper of BSD POP3d, I have made recent
> changes and made them available. So.... I took a very quick look and
> changed that "offending" strcpy to a strncpy. I'll soon put 1.005f
> up on: ftp://ftp.scott.net/pub/linux/mail
Thank you for the quick response.
> Is this security notice based on an exploit or is it just from examination
> of the code. My cursory glance indicates that there is no real threat from
> that strcpy because the length of the input has already been checked before
Only upon examination-- I only looked at the code, saw
(strcpy(static_array,char *) and gasped-- and made the release. It looks
as if, within function svr_auth it only gets the input from a 128
character array, then later, subtracts the first four characters out
(deciding if it is USER or PASS or whatever) and then puts that into a
pointer when a different function is called, and then strcpy's it.
> FUNCTION: svr_auth(state,inbuf), has the "offending" line:
> strcpy(cli_user,inbuf);
> BUT: svr_auth is called from MAIN with:
> svr_state = svr_auth(svr_state,cli_buf);
> where cli_buf is read previously from stdin with:
> if (fgetl(cli_buf,CLI_BUFSIZ,stdin) == NULL)