Created attachment 192547 [details] files/patch-remote-dos-fix-bugtraq-39838 http://git.savannah.gnu.org/gitweb/?p=tpop3d.git;a=commitdiff;h=ae0c8b3372ca10718c68f767944cbce3928573d7 http://savannah.nongnu.org/bugs/index.php?33413 https://www.securityfocus.com/bid/39838/info https://www.cvedetails.com/bugtraq-bid/39838/tpop3d-Remote-Denial-of-Service-Vulnerability.html
I couldn't compile it on CURRENT: --- buffer.o --- buffer.c:155:5: error: called object type 'void *' is not a function or function pointer assert(a <= (size_t)INT_MAX); ^ /usr/include/assert.h:56:19: note: expanded from macro 'assert' #define assert(e) ((e) ? (void)0 : __assert(__func__, __FILE__, \ ^ 1 error generated. *** [buffer.o] Error code 1 --- connection.o --- connection.c:118:59: warning: passing 'int *' to parameter of type 'socklen_t *' (aka 'unsigned int *') converts between pointers to integer types with different sign [-Wpointer-sign] if (getsockname(s, (struct sockaddr*)&(c->sin_local), &n) < 0) { ^~ /usr/include/sys/socket.h:667:74: note: passing argument to parameter here int getsockname(int, struct sockaddr * __restrict, socklen_t * __restrict);
This patch is not mine, it comes from official source. See first link in comment #0. This looks like another clang-version-specific catch. I did not encounter it on stable/11 r332308. I do not know how to fix this failure. As for warnings: tpop3d during compile will spew a decent number of warnings and has for some time. Maybe less with gcc; unsure.
A commit references this bug: Author: krion Date: Sun Dec 9 11:48:24 UTC 2018 New revision: 487039 URL: https://svnweb.freebsd.org/changeset/ports/487039 Log: Add patches to avoid accessing unallocated memory. buffer_consume_to_mark() was trying to use Boyer-Moore search to find specified mark string but implementation was walking through unallocated memory. PR: 227543 Submitted by: Jeremy Chadwick <jdc@koitsu.org> Changes: head/mail/tpop3d/Makefile