Defect: BUFFset uses the GROW_AMOUNT macro
Versions affected: INN 1.5.1 and derivatives, INN 1.7 (and derivatives)

Symptoms: innd crashes immediately or eventually due to memory
            corruption.

Trigger:  When BUFFset is used to copy large (>128K) backlogged
            channel buffers.

More details:
    The GROW_AMOUNT macro is defined in configdata.h as follows.....
#define GROW_AMOUNT(x)		((x) < 128 * 1024 ? (x) : 128 * 1024)

The use of this macro to set bp->Size in BUFFset is an error, since
BUFFset must work with length greater than 128 * 1024.

Patch follows.  Against INN 1.7, but should be clean for 1.5.1

Forrest Cavalier, Mib Software, INN customization and consulting
Commercial support for INN: http://www.mibsoftware.com/innsup.htm

*** chan.c.orig	Wed Oct 08 12:10:08 1997
--- chan.c	Mon Oct 20 11:12:48 1997
***************
*** 47,53 ****
      if ((bp->Left = length) != 0) {
  	/* Need more space? */
  	if (bp->Size < length) {
! 	    bp->Size = GROW_AMOUNT(length);
  	    RENEW(bp->Data, char, bp->Size);
  	}
  
--- 47,53 ----
      if ((bp->Left = length) != 0) {
  	/* Need more space? */
  	if (bp->Size < length) {
! 	    bp->Size = length;
  	    RENEW(bp->Data, char, bp->Size);
  	}