apr-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rici Lake <r...@ricilake.net>
Subject apr_buckets_socket.c possible buglet
Date Tue, 26 Apr 2005 17:45:31 GMT
The documentation for apr_socket_recv says:

"It is possible for both bytes to be received and an APR_EOF or other 
error to be returned."

However, socket_bucket_read (in apr_buckets_socket.c) contains the 

32    *str = NULL;
33    *len = APR_BUCKET_BUFF_SIZE;
34    buf = apr_bucket_alloc(*len, a->list); /* XXX: check for failure? 
36    rv = apr_socket_recv(p, buf, len);
38    if (block == APR_NONBLOCK_READ) {
39        apr_socket_timeout_set(p, timeout);
40    }
42    if (rv != APR_SUCCESS && rv != APR_EOF) {
43        apr_bucket_free(buf);
44        return rv;
45    }

At line 32, the caller's buffer is set to NULL. At line 36, the 
caller's len is set to the length return from apr_socket_recv.

At line 44, if an error indication other than APR_EOF has been received 
from apr_socket_recv, then the bucket_read returns, handing the caller 
<NULL, len>. If len is not 0 at this point, as the documentation for 
apr_socket_recv says is possible, the caller may proceed to attempt to 
read the data from NULL and segfault.

A simple fix would be to delete lines 42-45 and replace line 75 with 
"return rv":

A better fix might be to hold onto the non-success indication until the 
subsequent call to socket_bucket_read.

View raw message