Path: utzoo!mnetor!uunet!husc6!mit-eddie!uw-beaver!fluke!battan
From: battan@tc.fluke.COM (Jim Battan)
Newsgroups: news.software.b
Subject: Re: Strange Core Dumps
Message-ID: <2479@fluke.COM>
Date: 14 Dec 87 17:57:26 GMT
References: <2122@crash.cts.com>
Sender: news@tc.fluke.COM
Lines: 57
Summary: a quick fix

In article <2122@crash.cts.com>, bblue@crash.cts.com (Bill Blue) writes
about how rnews is leaving around articles and core dumps when processing
certain articles having Message-ID's of the form:
> >Message-ID: 

John Gilmore has the right idea.  This is a problem with an sprintf
overflowing due to not having enough memory and/or arguments.  The
% in the Message-ID is sent through sprintf when the article's
forwarding to other sites gets recorded in the log file.  Specifically,
in broadcast() (ifuncs.c), "sentbuf" gets the Message-ID and a list
of sites the article is sent to.  This is then sprintf-ed through
in log(), where it bombs.  How articles then get sent to the other sites
is mysterious, but I don't understand enough about the flow of the
articles to be sure.  Below, please find a suitable context diff that
can be sent thru patch(1L).  I've mailed the diff to Rick Adams for
inclusion in patch n.  Since the articles get posted correctly even
with this bug, you could wait for the official patch if you're the
cautious type.  Another possible fix could have been to the call to
log() in broadcast(), ala'
	log("%s", sentbuf);
but my fix will (hopefully) have the same effect.  Note that I haven't
yet found an incoming article to really test this on.  And a general
disclaimer:  This works for me; your mileage may vary.

*** ifuncs.c.orig	Mon Dec 14 09:10:41 1987
--- ifuncs.c	Mon Dec 14 09:03:29 1987
***************
*** 113,119 ****
  		xerror("Cannot reread article");
  	(void) fclose(fp);
  
! 	(void) strcpy(sentbuf, h.ident);
  	(void) strcat(sentbuf, " sent to ");
  	sentsys = index(sentbuf, '\0');
  	nsent = 0;
--- 117,134 ----
  		xerror("Cannot reread article");
  	(void) fclose(fp);
  
! 	/* Double "%"'s in the header's ident, since log() would try to	*/
! 	/* interpret them in sentbuf.  Articles posted by some BITNET sites */
! 	/* occasionally have these types of Message-IDs.		*/
! 	/* e.g. 				*/
! 	hptr = h.ident;
! 	sptr = sentbuf;
! 	while (*hptr != '\0') {
! 		if (*hptr == '%')
! 			*sptr++ = '%';
! 		*sptr++ = *hptr++;
! 	}
! 	*sptr = '\0';
  	(void) strcat(sentbuf, " sent to ");
  	sentsys = index(sentbuf, '\0');
  	nsent = 0;
-- 
Jim Battan     Domain: battan@tc.fluke.COM  Voice: +1 206 356 6469
UUCP: {uw-beaver,decvax!microsof,ucbvax!lbl-csam,allegra,sun}!fluke!battan