From 128a0cb344c869df98c1725cb8b8e07e34da0152 Mon Sep 17 00:00:00 2001
From: Markus Linnala <Markus.Linnala@cybercom.com>
Date: Wed, 18 Sep 2013 21:30:23 +0300
Subject: [PATCH 25/26] maage: valgrind mail misalloc

==10647== Invalid write of size 1
==10647==    at 0x4B1493: ngx_mail_smtp_merge_srv_conf (ngx_mail_smtp_module.c:280)
==10647==    by 0x4AB363: ngx_mail_block (ngx_mail.c:209)
==10647==    by 0x4303BE: ngx_conf_parse (ngx_conf_file.c:391)
==10647==    by 0x42DF03: ngx_init_cycle (ngx_cycle.c:265)
==10647==    by 0x4206A9: main (nginx.c:333)
==10647==  Address 0x550fb84 is 0 bytes after a block of size 68 alloc'd
==10647==    at 0x4A074CD: malloc (vg_replace_malloc.c:236)
==10647==    by 0x43B251: ngx_alloc (ngx_alloc.c:22)
==10647==    by 0x421B0D: ngx_malloc (ngx_palloc.c:119)
==10647==    by 0x421B65: ngx_pnalloc (ngx_palloc.c:147)
==10647==    by 0x4B1447: ngx_mail_smtp_merge_srv_conf (ngx_mail_smtp_module.c:269)
==10647==    by 0x4AB363: ngx_mail_block (ngx_mail.c:209)
==10647==    by 0x4303BE: ngx_conf_parse (ngx_conf_file.c:391)
==10647==    by 0x42DF03: ngx_init_cycle (ngx_cycle.c:265)
==10647==    by 0x4206A9: main (nginx.c:333)
==10647==

Found by mail_imap.t from mdounin nginx-tests.
---
 src/mail/ngx_mail_smtp_module.c |    5 ++---
 1 files changed, 2 insertions(+), 3 deletions(-)

diff --git a/src/mail/ngx_mail_smtp_module.c b/src/mail/ngx_mail_smtp_module.c
index cdd4e5e..f34dd1a 100644
--- a/src/mail/ngx_mail_smtp_module.c
+++ b/src/mail/ngx_mail_smtp_module.c
@@ -264,7 +264,7 @@ ngx_mail_smtp_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
         last[3] = ' ';
     }
 
-    size += sizeof("250 STARTTLS" CRLF) - 1;
+    size += sizeof("250 STARTTLS" CRLF CRLF) - 1;
 
     p = ngx_pnalloc(cf->pool, size);
     if (p == NULL) {
@@ -276,8 +276,7 @@ ngx_mail_smtp_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
 
     p = ngx_cpymem(p, conf->capability.data, conf->capability.len);
 
-    p = ngx_cpymem(p, "250 STARTTLS" CRLF, sizeof("250 STARTTLS" CRLF) - 1);
-    *p++ = CR; *p = LF;
+    p = ngx_cpymem(p, "250 STARTTLS" CRLF CRLF, sizeof("250 STARTTLS" CRLF CRLF) - 1);
 
     p = conf->starttls_capability.data
         + (last - conf->capability.data) + 3;
-- 
1.7.7.6