httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Randy Terbush <ra...@zyzzyva.com>
Subject Re: [BUG]: "segv attempting to run some cgis" on OTHER:qnx
Date Sun, 02 Mar 1997 18:03:33 GMT

> > > Symptoms:
> > > --
> > > httpd faults.  the bug is that va_end() is called
> > > twice within create_argv() [in util_script.c]
> > > va_end() should not be called at the bottom of
> > > the while loop.
> > > --
> > 
> > Hi,
> > 
> > Thanks for the info. It'll be looked into for the next
> > beta.
> 
> This also fixes another PR somewhere in the database.
> 
> Ok, there are a few problems with create_argv:
> 
> 	- possible buffer overflow if command line args >
> 	  APACHE_ARG_MAX; not likely to be exploitable.

I don't see this Marc. Can you be more specific?

> 	- av[idx] = '\0' should be NULL instead of '\0'

?? array of char *?

> 	- remove the first va_end

Ya.

> 	- I didn't think that va_arg would necessarily work properly
> 	  with a NULL (ie. the NULL termination), since NULL is
> 	  generally 0 and 0 is an int not a char* so va_arg may not
> 	  match it?

Hmm, I had thought that last I looked NULL was void *(0) or 
something. You are correct though that it is 0 on FreeBSD. and BSDI.


> char **create_argv(request_rec *r, char *av0, ...)
> {
>     int idx;
>     char **av;
>     char *t, *arg;
>     va_list args;
> 
>     av = (char **)palloc(r->pool, APACHE_ARG_MAX);
>     
>     av[0] = av0;
>     idx = 1;
>     
>     va_start(args, av0);
>     while ((arg = va_arg(args, char *)) != NULL) {
>         if ((t = strtok(arg, "+")) == NULL)
>             break;
>         
>         unescape_url(t);
>         av[idx] = escape_shell_cmd(r->pool, t);
>         av[idx] = t;
>         idx++;
>         if (idx >= APACHE_ARG_MAX-1) break;
>         
>         while ((t = strtok(NULL, "+")) != NULL) {
>             unescape_url(t);
>             assert(idx < APACHE_ARG_MAX);
>             av[idx] = escape_shell_cmd(r->pool, t);
>             av[idx] = t;
>             idx++;
>             if (idx >= APACHE_ARG_MAX-1) break;
>         }
>         va_end(args);
>     }
>     va_end(args);
> 
>     av[idx] = '\0';
>     return av;
> }
> 




Mime
View raw message