axis-c-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Senaka Fernando (JIRA)" <j...@apache.org>
Subject [jira] Updated: (AXIS2C-724) potential access violation in dir_windows.c
Date Sat, 09 Feb 2008 21:11:08 GMT

     [ https://issues.apache.org/jira/browse/AXIS2C-724?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Senaka Fernando updated AXIS2C-724:
-----------------------------------

    Fix Version/s: 1.3.0

> potential access violation in dir_windows.c
> -------------------------------------------
>
>                 Key: AXIS2C-724
>                 URL: https://issues.apache.org/jira/browse/AXIS2C-724
>             Project: Axis2-C
>          Issue Type: Bug
>          Components: platforms/windows
>    Affects Versions: 1.1.0
>         Environment: OS:WindowsXP
>            Reporter: Atsushi Monna
>            Assignee: Senaka Fernando
>             Fix For: 1.3.0
>
>
> I think scandir() has a potential access violation in dir_windows.c.
> The following is an extraction of scandir().
> int AXIS2_CALL scandir(const char *_dirname, 
> 	struct dirent **__namelist[], 
> 	int(*selector)(const struct dirent *entry), 
> 	int(*compare)(const struct dirent **__d1, const struct dirent **__d2))
> {
>     DIR            *dirp = NULL;
>     struct dirent  **vector = NULL;
>     struct dirent  *dp = NULL;
>     int            vector_size = 0;
>     int            nfiles = 0;
>     if (!(dirp = opendir(_dirname)))
>     {
>         return -1;
>     }
>     while ((dp = readdir(dirp)))
>     {
>         dsize = (int)sizeof(struct dirent) + (int)((strlen(dp->d_name) + 1) * sizeof(char));
>         newdp = (struct dirent *) malloc(dsize);
>         if (newdp == NULL)
>         {
>             while (nfiles-- > 0)
>             {
>                 free(vector[nfiles]);
>             }
>             free(vector);
>             return -1;
>         }
>         vector[nfiles++] = (struct dirent *) memcpy(newdp, dp, dsize);
>     }
> Using memcpy() like this.
>   vector[nfiles++] = (struct dirent *) memcpy(newdp, dp, dsize);
> The "dsize" defined like this.
>   dsize = (int)sizeof(struct dirent) + (int)((strlen(dp->d_name) + 1) * sizeof(char));
> The "dp"(copy src) has only size of "struct dirent". Less size than "dsize".
> When access over "dp", it has potential access violation.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


---------------------------------------------------------------------
To unsubscribe, e-mail: axis-c-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: axis-c-dev-help@ws.apache.org


Mime
View raw message