Fix rare potential log buffer overflow.

2 files changed, 8 insertions, 3 deletions

diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index c09c42f3c..08907ffa7 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -1,4 +1,4 @@
-$Cambridge: exim/doc/doc-txt/ChangeLog,v 1.218 2005/09/12 10:08:53 ph10 Exp $
+$Cambridge: exim/doc/doc-txt/ChangeLog,v 1.219 2005/09/12 10:49:30 ph10 Exp $
 
 Change log file for Exim from version 4.21
 -------------------------------------------
@@ -154,6 +154,11 @@ PH/36 When a locally submitted message by a trusted user did not contain a
 
 PH/37 Added control=suppress_local_fixups.
 
+PH/38 When log_selector = +received_sender was set, and the addition of the
+      sender made the log line's construction buffer exactly full, or one byte
+      less than full, an overflow happened when the terminating "\n" was
+      subsequently added.
+
 
 Exim version 4.52
 -----------------
diff --git a/src/src/log.c b/src/src/log.c
index 1427bd061..24418c5e6 100644
--- a/src/src/log.c
+++ b/src/src/log.c
@@ -1,4 +1,4 @@
-/* $Cambridge: exim/src/src/log.c,v 1.6 2005/06/28 10:23:35 ph10 Exp $ */
+/* $Cambridge: exim/src/src/log.c,v 1.7 2005/09/12 10:49:30 ph10 Exp $ */
 
 /*************************************************
 *     Exim - an Internet mail transport agent    *
@@ -741,7 +741,7 @@ va_end(ap);
 this way because it kind of fits with LOG_RECIPIENTS. */
 
 if ((flags & LOG_SENDER) != 0 &&
-    ptr < log_buffer + LOG_BUFFER_SIZE - 8 - Ustrlen(raw_sender))
+    ptr < log_buffer + LOG_BUFFER_SIZE - 10 - Ustrlen(raw_sender))
   {
   sprintf(CS ptr, " from <%s>", raw_sender);
   while (*ptr) ptr++;