httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marc Slemko <ma...@znep.com>
Subject Re: [BUG] rprintf SEGVs if given NULL for %S
Date Sat, 15 Feb 1997 03:33:56 GMT
I agree.  You must be careful the manner in which you fail, because in
certain places failing in what seems to be the obvious way can lead to the
client being able to trick the server into granting access when it
shouldn't, etc. but in general I like the idea.  

It is sloppy code to not check that in either the caller or the
subroutine.  Easiest to check in the subroutine, and helps in debugging.
I don't think the overhead is a real issue.

We did a similar thing for whateveritwas that I submitted the patch for
the other week... err, log_reason().  That's it.

On Fri, 14 Feb 1997, Jim Jagielski wrote:

> Rodent of Unusual Size wrote:
> > 
> >     In tracking down a SEGV I was getting, I found that vbprintf() isn't
> >     being paranoid about bad %s arguments.  The following will SEGV
> >     rather than sending "(null)":
> > 
> >       rprintf (r, "%s", NULL)
> > 
> >     Is this worth adding the necessary paranoia code, or is this a case
> >     of "don't do that"?  I'm inclined to think the former, but there it
> >     is..
> > 
> 
> If it's easy to add, I'd vote for the former... SEGV's do give
> an indication of you're referencing NULL someplace you shouldn't
> but having the code actually point it out is nice.
> 
> -- 
> ====================================================================
>       Jim Jagielski            |       jaguNET Access Services
>      jim@jaguNET.com           |       http://www.jaguNET.com/
>                   "Not the Craw... the CRAW!"
> 


Mime
View raw message