Hi Yutaka, Thanks a lot for the info. I will try the patch. Jean Aumont -----Original Message----- From: Yutaka Sato [mailto:feedback@delegate.org] Sent: Friday, August 22, 2008 12:38 AM To: feedback@delegate.org Cc: Jean Aumont Subject: Re: [DeleGate-En] VStr overflow in Xstrcpy and TIME_WAIT state Hi, In message <_A4086@delegate-en.ML_> on 08/22/08(06:55:54) you "Jean Aumont" <pvahqbdyi-aipiireovalr.ml@ml.delegate.org> wrote: |Regarding the Question 1: Is this normal to see "VStr overflow in |Xstrcpy" in the ERRORLOG file ? | |In my configuration file there is nothing longer than about 100 |characters, so I do not think that this is the problem. | |But regarding the logs, I see always the same pattern: Even if your input parameter is short, it might be expanded internally by DeleGate, and the result is reported in the LOGFILE. For example, a password string for -list{user:pass} in AUTHORIZER is hashed into a MD5 string which can be far longer than the original string as follows: AUTHORIZER="-list{1:1,2:2,3:3,4:4,5:5,6:6,7:7}" LOGFILE: **** Encrypt it as AUTHORIZER=-list{1:MD5:c4ca4238a0b923820dcc509a6f75849b,2:MD5:c81e728d9d 4c2f636f067f89cc14862c,3:MD5:eccbc87e4b5ce2fe28308fd9f2a7baf3,4:MD5:a87f f679a2f3e71d9181a67b7542122c,5:MD5:e4da3b7fbbce2345d7772b0674a318d5,6:MD 5:1679091c5a880faf6fb5e6087eb1b2dc,7:MD5:8f14e45fceea167a5a36dedd4bea254 3} ... 08/22 13:27:33.00 [23973] 0+0: arg[4] AUTHORIZER=-list{1:MD5:c4ca4238a0b923820dcc509a6f75849b,2:MD5:c81e728d9d 4c2f636f067f89cc14862c,3:MD5:eccbc87e4b5ce2fe28308fd9f2a7baf3,4:MD5:a87f f679a2f3e71d9181a67b7542122c,5:MD5:e4da3b7fbbce2345d7772b0674a318d5,6:MD 5:1679091c5a880faf6fb5e6087eb1b2dc,7:MD5:8f14e45fceea167a5a36dedd4bea254 3} With this example, I can reproduce the "VStr overflow in Xstrcpy" in the authentication procedure of DeleGate. Since the restriction by 256bytes (MaxHostNameLen) is not an intended limitation, it will be fixed as the enclosed patch in the next release (9.8.5-pre6). Cheers, Yutaka -- 9 9 Yutaka Sato <y.sato@delegate.org> http://delegate.org/y.sato/ ( ~ ) National Institute of Advanced Industrial Science and Technology _< >_ 1-1-4 Umezono, Tsukuba, Ibaraki, 305-8568 Japan Do the more with the less -- B. Fuller *** dist/src/delegate9.8.4-pre5/src/access.c Thu Jul 31 20:11:30 2008 --- ./src/access.c Fri Aug 22 13:23:11 2008 *************** *** 1628,1634 **** --- 1628,1637 ---- return wa; } int CTX_withAuth(Connection *Conn){ + /* CStr(authserv,MaxHostNameLen); + */ + CStr(authserv,MaxAuthServLen); if( getMountAuthorizer(Conn,AVStr(authserv),sizeof(authserv)) ){ return 1; }else *************** *** 1657,1663 **** --- 1660,1669 ---- } int doAuthX(Connection *Conn,AuthInfo *ident) { int rcode; + /* CStr(authserv,MaxHostNameLen); + */ + CStr(authserv,MaxAuthServLen); CStr(userpass,256); const char *dp;