Mailing List Archive

size argument to snprintf and cli_malloc
In cvs head...

I see in clamav-milter.c

snprintf(reject, sizeof(reject) - 1,

According to man 3 printf

snprintf and vsnprintf do not write more than size bytes (including the
trailing '\0'),




Also
In libclamav/others.c:

void *cli_malloc(size_t size)
{
void *alloc;

alloc = malloc(size);

if(!alloc) {
cli_errmsg("cli_malloc(): Can't allocate memory (%d bytes).\n",
size);
perror("malloc_problem");
/* _exit(1); */
return NULL;
} else return alloc;
}

Which means that all the code which does not check the return of
cli_malloc can cause a segfault.......

In the case of clamav-milter a proper response might include flagging an
oom condition and setting tempfail by clamfi_eom...

Thoughts?

Joe