1. Forum
  2. DOVE-Net
  3. Synchronet Programming

  • src/sbbs3/mailsrvr.cpp

    From Rob Swindell (on Debian Linux)@VERT to Git commit to main/sbbs/master on Wed May 6 19:41:53 2026
    https://gitlab.synchro.net/main/sbbs/-/commit/92ae6263408f0ddd5d05d802
    Modified Files:
    src/sbbs3/mailsrvr.cpp
    Log Message:
    mailsrvr: bound sockmimetext line scan with strnlen (CID 639931)

    The inner while-loop walks (*np + len) up to RFC822_MAX_LINE_LEN bytes
    relying on the embedded NUL test to stop early. When np points at the
    "\r\n" literal used as the empty-body fallback (issue #822), Coverity
    loses track of the literal's length and reports a 997-byte OVERRUN.
    Compute the scan length up-front with strnlen so the bound is explicit; behavior is unchanged but the OVERRUN false-positive is silenced.

    Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

    ---
    þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net
  • From Rob Swindell (on Debian Linux)@VERT to Git commit to main/sbbs/master on Thu May 14 03:17:17 2026
    https://gitlab.synchro.net/main/sbbs/-/commit/52099548d7f5782b818bdbe7
    Modified Files:
    src/sbbs3/mailsrvr.cpp
    Log Message:
    mailsrvr: POP3 reply -ERR (not !UNSUPPORTED) to USER/PASS in TRANSACTION state

    Some clients (e.g. Thunderbird) reuse an already-authenticated TCP socket
    and re-issue USER/PASS. Per RFC 1939 these are AUTHORIZATION-state-only commands, so respond with a plain -ERR and keep the session alive,
    matching Dovecot/Courier behavior and suppressing the misleading
    "!UNSUPPORTED COMMAND" log notice.

    Refs main/sbbs#1123

    Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

    ---
    þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net