apr-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Blair Zajac <bl...@orcaware.com>
Subject [PATCH] remove gcc bounds checking core dumps
Date Thu, 17 Apr 2003 22:30:45 GMT
I'm getting two core dumps when testing httpd with mod_dav_svn when
apr/apr-util/httpd-2.1 are compiled with the bounds checking gcc
compiler.

* network_io/unix/sockaddr.c (apr_parse_addr_port):
  When a number is passed in, a pointer to the character before
  the start of the string is created and compared against the
  pointer to the beginning of the string.  This is deemed illegal
  by the gcc bounds checking compiler.  Avoid calculating a pointer
  before the buffer.  Also, rename addrlen to be consistent with
  the new str_len variable.

* buckets/apr_buckets_alloc.c (apr_bucket_alloc):
  Do not create a pointer past the end of the bucket and compare
  it to a pointer in the bucket, otherwise the gcc bounds checking
  compiler will core dump.

These two patches need to be applied separately.

Index: network_io/unix/sockaddr.c
===================================================================
RCS file: /home/cvspublic/apr/network_io/unix/sockaddr.c,v
retrieving revision 1.37
diff -u -r1.37 sockaddr.c
--- network_io/unix/sockaddr.c  16 Feb 2003 10:10:20 -0000      1.37
+++ network_io/unix/sockaddr.c  17 Apr 2003 21:49:18 -0000
@@ -265,7 +265,7 @@
 {
     const char *ch, *lastchar;
     int big_port;
-    apr_size_t addrlen;
+    apr_size_t addr_len, str_len;

     *addr = NULL;         /* assume not specified */
     *scope_id = NULL;     /* assume not specified */
@@ -274,12 +274,18 @@
     /* First handle the optional port number.  That may be all that
      * is specified in the string.
      */
-    ch = lastchar = str + strlen(str) - 1;
-    while (ch >= str && apr_isdigit(*ch)) {
-        --ch;
+    str_len = strlen(str);
+    if (str_len == 0) {
+        return APR_EINVAL;
     }

-    if (ch < str) {       /* Entire string is the port. */
+    ch = str + str_len;
+    lastchar = ch - 1;
+    while (ch > str && apr_isdigit(*(ch-1))) {
+      --ch;
+    }
+
+    if (ch == str) {       /* Entire string is the port. */
         big_port = atoi(str);
         if (big_port < 1 || big_port > 65535) {
             return APR_EINVAL;
@@ -288,6 +294,8 @@
         return APR_SUCCESS;
     }

+    --ch;
+
     if (*ch == ':' && ch < lastchar) { /* host and port number specified */
         if (ch == str) {               /* string starts with ':' -- bad */
             return APR_EINVAL;
@@ -301,7 +309,7 @@
     }

     /* now handle the hostname */
-    addrlen = lastchar - str + 1;
+    addr_len = lastchar - str + 1;

 /* XXX we don't really have to require APR_HAVE_IPV6 for this;
  * just pass char[] for ipaddr (so we don't depend on struct in6_addr)
@@ -309,7 +317,7 @@
  */
 #if APR_HAVE_IPV6
     if (*str == '[') {
-        const char *end_bracket = memchr(str, ']', addrlen);
+        const char *end_bracket = memchr(str, ']', addr_len);
         struct in6_addr ipaddr;
         const char *scope_delim;

@@ -319,26 +327,26 @@
         }

         /* handle scope id; this is the only context where it is allowed */
-        scope_delim = memchr(str, '%', addrlen);
+        scope_delim = memchr(str, '%', addr_len);
         if (scope_delim) {
             if (scope_delim == end_bracket - 1) { /* '%' without scope id */
                 *port = 0;
                 return APR_EINVAL;
             }
-            addrlen = scope_delim - str - 1;
+            addr_len = scope_delim - str - 1;
             *scope_id = apr_palloc(p, end_bracket - scope_delim);
             memcpy(*scope_id, scope_delim + 1, end_bracket - scope_delim - 1);
             (*scope_id)[end_bracket - scope_delim - 1] = '\0';
         }
         else {
-            addrlen = addrlen - 2; /* minus 2 for '[' and ']' */
+            addr_len = addr_len - 2; /* minus 2 for '[' and ']' */
         }

-        *addr = apr_palloc(p, addrlen + 1);
+        *addr = apr_palloc(p, addr_len + 1);
         memcpy(*addr,
                str + 1,
-               addrlen);
-        (*addr)[addrlen] = '\0';
+               addr_len);
+        (*addr)[addr_len] = '\0';
         if (apr_inet_pton(AF_INET6, *addr, &ipaddr) != 1) {
             *addr = NULL;
             *scope_id = NULL;
@@ -352,9 +360,9 @@
         /* XXX If '%' is not a valid char in a DNS name, we *could* check
          *     for bogus scope ids first.
          */
-        *addr = apr_palloc(p, addrlen + 1);
-        memcpy(*addr, str, addrlen);
-        (*addr)[addrlen] = '\0';
+        *addr = apr_palloc(p, addr_len + 1);
+        memcpy(*addr, str, addr_len);
+        (*addr)[addr_len] = '\0';
     }
     return APR_SUCCESS;
 }




Index: buckets/apr_buckets_alloc.c
===================================================================
RCS file: /home/cvspublic/apr-util/buckets/apr_buckets_alloc.c,v
retrieving revision 1.9
diff -u -r1.9 apr_buckets_alloc.c
--- buckets/apr_buckets_alloc.c 1 Jan 2003 00:02:17 -0000       1.9
+++ buckets/apr_buckets_alloc.c 17 Apr 2003 21:49:30 -0000
@@ -118,7 +118,6 @@
 {
     node_header_t *node;
     apr_memnode_t *active = list->blocks;
-    char *endp;

     size += SIZEOF_NODE_HEADER_T;
     if (size <= SMALL_NODE_SIZE) {
@@ -127,18 +126,16 @@
             list->freelist = node->next;
         }
         else {
-            endp = active->first_avail + SMALL_NODE_SIZE;
-            if (endp >= active->endp) {
+            if (SMALL_NODE_SIZE >= active->endp - active->first_avail) {
                 list->blocks = apr_allocator_alloc(list->allocator, ALLOC_AMT);
                 list->blocks->next = active;
                 active = list->blocks;
-                endp = active->first_avail + SMALL_NODE_SIZE;
             }
             node = (node_header_t *)active->first_avail;
             node->alloc = list;
             node->memnode = active;
             node->size = SMALL_NODE_SIZE;
-            active->first_avail = endp;
+            active->first_avail = active->first_avail + SMALL_NODE_SIZE;
         }
     }
     else {



Best,
Blair

-- 
Blair Zajac <blair@orcaware.com>
Plots of your system's performance - http://www.orcaware.com/orca/

Mime
View raw message