apr-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Brad Nicholes" <BNICHO...@novell.com>
Subject apr_tokenize_to_argv() - Can someone shed some light...
Date Thu, 04 Apr 2002 22:44:35 GMT
   It appears that apr_tokenize_to_argv() is running off the end of the
string in the following while loop:

while (*ct != '\0') {
       CHECK_QUOTATION(ct, isquoted);
       DETERMINE_NEXTSTRING(ct, isquoted);
       ct++;
       numargs++;
       SKIP_WHITESPACE(ct);
}

Given the null terminated string

     vol2:/apache20/bin/rotlogs.nlm vol2:/apache/logs 2000

which would result from the configuration directive

     CustomLog "|vol2:/apache20/bin/rotlogs.nlm
vol2:/apache/logs/rotlogs 2000" common

the above while loop would continue to parse the string after it
reached the null terminator.  The reason why is because the macro
DETERMINE_NEXTSTRING() leaves "ct" pointing at the NULL after it parses
the last parameter.  Then "ct" is incremented before the while loop has
a chance to check for NULL.  So unless the string is double NULL
terminated, the resulting argument list will end up with whatever
garbage it finds after the end of the string.  Is the argument string
being passed in guaranteed to be double NULL terminated or have we just
been getting lucky?

Brad


Brad Nicholes
Senior Software Engineer
Novell, Inc., a leading provider of Net business solutions
http://www.novell.com 

Mime
View raw message