Subject: bin/34095: Vacation(1) core dumps when there is a S
To: None <,>
From: Brian Buhrow <>
List: netbsd-bugs
Date: 07/26/2006 23:40:01
	Note: There was a bad value `' for the field `Class'.
	It was set to the default value of `sw-bug'.

>Number:         34095
>Category:       bin
>Synopsis:       Vacation(1) core dumps when there is a Subject: header with no content
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    bin-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Wed Jul 26 23:40:01 +0000 2006
>Originator:     Brian Buhrow
>Release:        NetBSD 3.0_STABLE (and 2.x and -current)
NFB of California
System: NetBSD 3.0_STABLE NetBSD 3.0_STABLE (NFBNETBSD) #0: Tue Jan 31 14:45:08 PST 2006 i386
Architecture: i386
Machine: i386
	The vacation(1) program dumps core when it receives a message with a
Subject: header, but no content in that header.  The Microsoft Outlook
mail program generates Subject: headers regardless if the user types a
subject.  Such messages cause mailer-daemon messages to be returned to the
sender, and the vacation(1) program doesn't note the sender in its
Setup a user to generate vacation messages.  Then, send an e-mail message
with a Subject: header, but nothing else on that header line to the user
you just setup.  You'll get a mailer-daemon message back from the machine
running vacation, and a core file will appear in the user's home directory.

	The following patch fixes the problem.
Should apply cleanly to NetBSD-current, 2.x and 3.x branches.  I'd like to
see this applied before the 4.x branch branches, and back-applied to the
3.x branch.  Application to the 2.x branch would be nice as well, but I
don't know what the criteria for putting stuff in that branch is.

Index: vacation.c
RCS file: /cvsroot/src/usr.bin/vacation/vacation.c,v
retrieving revision 1.30
diff -u -r1.30 vacation.c
--- vacation.c	19 Aug 2004 13:43:54 -0000	1.30
+++ vacation.c	26 Jul 2006 23:27:51 -0000
@@ -386,7 +386,11 @@
 					*++p = '\0';
-				(void)strlcpy(subject, s, sizeof(subject));
+				if (s) {
+					(void)strlcpy(subject, s, sizeof(subject));
+				} else {
+					subject[0] = '\0';
+				}
 			if ((fflag & SENDER_FROM) != 0 &&
 			    COMPARE(buf, "Sender:") == 0)