UCB Mail (mailx for System V) bug

Sat Aug 26 15:22:46 AEST 1989

(I'll send a copy of this to bsd-bugs and sun-bugs, I'm not sure
who to tell at AT&T or Apple.  Please check to see if your version of Unix has
the problem and pass this info onto your vendor. --glenn)

Problem:

Mail dumps core when processing an 'alias' command (in the .mailrc file) that 
is slightly greater than BUFSIZ bytes *and* uses continuation lines 
(end preceding line with backslash).

Systems:  

4.3BSD, 4.3-tahoe (not tested, but looks like it)
System V Release 2 and 3
SunOS 4.0.{0,1,3} 
A/UX 1.1
(probably any Unix system derived from 4.XBSD and System V since most
vendor's Mail/mailx seem to be derived from an early bsd version of Mail)

Caveat:  

Using continuation lines in the .mailrc is not in the man pages I've checked
but the code supports it (well, almost:-) and it's "common" practice.

Repeat By:  

MAILRC=mailrc.boom Mail 

where the file mailrc.boom is the follwing (all my friends are nobodies:-):

alias t_fc nobody%asabet.DEC at decwrl.dec.com rayssd!raybed2.RAY.COM!nobody \
        nobody at bbn.com nobody at beach.cis.ufl.edu nobody at csri.toronto.edu \
        nobody at theory.cs.cmu.edu nobody at uhura.cc.rochester.edu attunix!nobody \
        nobody!nobody nobody at bbn.com nobody at MSU.BITNET \
        nobody%compsci.bristol.ac.uk at NSFnet-Relay.AC.UK \
        nobody at isis.berkeley.edu att!cblpn!nobody sun!terrapin!nobody \
        nobody%etive.edinburgh.ac.uk at NSFnet-Relay.AC.UK  nobody at wellesley.edu \
        nobody at usceast.UUCP nobody at eos.arc.nasa.gov nobody at dgbt.crc.dnd.ca \
        nobody%ukc.ac.uk at NSFnet-Relay.AC.UK \
        nobody%fulcrum.bt.co.uk at NSFnet-Relay.AC.UK nobody at cup.portal.com \
        nobody.nobody%brunel.ac.uk at NSFnet-Relay.AC.UK nobody at dewey.udel.edu \
        nobody at telesci.UUCP nobody at boulder.colorado.edu \
        nobody%tisl.decnet at tisl.af.mil nobody-nobody at cs.yale.edu \
        nobody at ifi.uio.no gatech!cs.utexas.edu!halley!nobody \
        nobody.nobody at K.GP.CS.CMU.EDU cbnewsi.ATT.COM!nobody \
        attbl!homxc!nobody homxc!nobody tridom!nobody \
        nobody at blake.acs.washington.edu  nobody at whoball.uucp

Slightly more detailed description:

When reading one's .mailrc file and encountering an 'alias' command,
commands() (lex.c)  calls readline() (fio.c) for each line of input
from the file (this includes individual continuation lines).   A check is made
that the line read is not greater than the size of the input buffer (LINESIZE =
BUFSIZ = (usually) 1024).  The problem is that the input line as a whole (the 
sum of the continuation lines) is not checked against LINESIZE, just each 
individual line (from the file) is checked.

Thus, if the alias command "line" is slightly greater than LINESIZE, nasty
things happen, like the stack gets blown away.

Fix:  

(for the SunOS 4.0 Mail, derived from System V Release 2 mailx,
this will not work for the 4.3BSD Mail because readline() has
been changed to use fgets(3))

A possible (but  kludgey) fix is to add another parameter to readline() 
which is a char ptr (or just use the input array, itself) pointing to the 
*start* of the input buffer.  And then use it to check (in readline()) 
against the current input position to see if the buffer is "full".  

Also, the input buffer should probably be increased to allow 
(more) voluminous aliases.

-- 
Glenn T. Barry      |  glenn at mathcs.emory.edu                   Internet
Emory University    |  {sun!sunatl,gatech}!emory!glenn          UUCP
Dept of Math and CS |  glenn at emory                              BITNET
Atlanta, GA 30322   |  ph: (404) 727-5637