$NetBSD: patch-aa,v 1.1 2009/09/08 10:36:27 tron Exp $

Fix an abort() caused by miscalculating the size of an internal buffer.
This can crash applications using "libspf2" (e.g. "milter-greylist")
in an e-mail gets delivered via SMTP over IPv6 depending on the
remote machine's IPv6 address.

--- src/libspf2/spf_expand.c.orig	2008-11-03 21:29:00.000000000 +0000
+++ src/libspf2/spf_expand.c	2009-09-08 11:27:52.000000000 +0100
@@ -245,7 +245,7 @@
 		case PARM_CLIENT_IP:		/* SMTP client IP				*/
 #ifdef COMPUTE
 			if (compute_length) {
-				len = sizeof(ip6_buf);
+				len = sizeof(ip6_rbuf);
 				if (d->dv.url_encode)
 					len *= 3;
 				buflen += len;

http://www.gossamer-threads.com/lists/spf/devel/35098

--- src/libspf2/spf_compile.c	2008-11-03 15:37:33.000000000 -0500
+++ src/libspf2/spf_compile.c	2009-09-07 23:46:02.000000000 -0400
@@ -778,7 +778,7 @@
 	const char			*end;
 	const char			*p;
 
-	char				 buf[ INET_ADDRSTRLEN ];
+	char				 buf[ INET6_ADDRSTRLEN ];
 	size_t				 len;
 	int					 err;
 
--- src/libspf2/spf_interpret.c	2008-10-22 11:47:43.000000000 -0400
+++ src/libspf2/spf_interpret.c	2009-09-08 00:42:25.000000000 -0400
@@ -505,7 +505,7 @@
 	char		dst_ip6_buf[ INET6_ADDRSTRLEN ];
 
 	struct in6_addr		src_ipv6;
-	int				cidr, mask;
+	int				cidr, cidr_save, mask;
 	int				i;
 	int				match;
 
@@ -517,6 +517,7 @@
 	cidr = SPF_i_mech_cidr(spf_request, mech);
 	if ( cidr == 0 )
 		cidr = 128;
+	cidr_save = cidr;
 
 	match = TRUE;
 	for( i = 0; i < array_elem( ipv6.s6_addr ) && match; i++ )
@@ -538,7 +539,7 @@
 		INET_NTOP(AF_INET6, &ipv6.s6_addr,
 							dst_ip6_buf, sizeof(dst_ip6_buf));
 		SPF_debugf( "ip_match:  %s == %s  (/%d):  %d",
-				src_ip6_buf, dst_ip6_buf, cidr, match );
+				src_ip6_buf, dst_ip6_buf, cidr_save, match );
 	}
 
 	return match;