httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marc Slemko <ma...@znep.com>
Subject Re: [BUG]: "segv attempting to run some cgis" on OTHER:qnx
Date Thu, 27 Feb 1997 02:42:19 GMT
On Wed, 26 Feb 1997, Rob Hartill wrote:

> On Wed, 26 Feb 1997 glen@qnx.com wrote:
> 
> > Submitter: glen@qnx.com
> > Operating system: OTHER:qnx, version: 4.23
> > Version of Apache Used: 1.2b7
> > Extra Modules used: 
> > URL exhibiting problem: 
> > 
> > Symptoms:
> > --
> > httpd faults.  the bug is that va_end() is called
> > twice within create_argv() [in util_script.c]
> > va_end() should not be called at the bottom of
> > the while loop.
> > --
> 
> Hi,
> 
> Thanks for the info. It'll be looked into for the next
> beta.

This also fixes another PR somewhere in the database.

Ok, there are a few problems with create_argv:

	- possible buffer overflow if command line args >
	  APACHE_ARG_MAX; not likely to be exploitable.
	- av[idx] = '\0' should be NULL instead of '\0'
	- remove the first va_end
	- I didn't think that va_arg would necessarily work properly
	  with a NULL (ie. the NULL termination), since NULL is
	  generally 0 and 0 is an int not a char* so va_arg may not
	  match it?


char **create_argv(request_rec *r, char *av0, ...)
{
    int idx;
    char **av;
    char *t, *arg;
    va_list args;

    av = (char **)palloc(r->pool, APACHE_ARG_MAX);
    
    av[0] = av0;
    idx = 1;
    
    va_start(args, av0);
    while ((arg = va_arg(args, char *)) != NULL) {
        if ((t = strtok(arg, "+")) == NULL)
            break;
        
        unescape_url(t);
        av[idx] = escape_shell_cmd(r->pool, t);
        av[idx] = t;
        idx++;
        if (idx >= APACHE_ARG_MAX-1) break;
        
        while ((t = strtok(NULL, "+")) != NULL) {
            unescape_url(t);
            assert(idx < APACHE_ARG_MAX);
            av[idx] = escape_shell_cmd(r->pool, t);
            av[idx] = t;
            idx++;
            if (idx >= APACHE_ARG_MAX-1) break;
        }
        va_end(args);
    }
    va_end(args);

    av[idx] = '\0';
    return av;
}



Mime
View raw message