httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marc Slemko <ma...@znep.com>
Subject Re: [BUG]: "segv attempting to run some cgis" on OTHER:qnx
Date Sun, 02 Mar 1997 18:22:11 GMT
On Sun, 2 Mar 1997, Randy Terbush wrote:

> 
> > > > Symptoms:
> > > > --
> > > > httpd faults.  the bug is that va_end() is called
> > > > twice within create_argv() [in util_script.c]
> > > > va_end() should not be called at the bottom of
> > > > the while loop.
> > > > --
> > > 
> > > Hi,
> > > 
> > > Thanks for the info. It'll be looked into for the next
> > > beta.
> > 
> > This also fixes another PR somewhere in the database.
> > 
> > Ok, there are a few problems with create_argv:
> > 
> > 	- possible buffer overflow if command line args >
> > 	  APACHE_ARG_MAX; not likely to be exploitable.
> 
> I don't see this Marc. Can you be more specific?

Sorry, I'm crazy.

> 
> > 	- av[idx] = '\0' should be NULL instead of '\0'
> 
> ?? array of char *?

av is a **char.  av[idx] is a *char.  A pointer is not '\0', it is NULL.
If you would not say av[idx] = 'a' you should not say av[idx] = '\0'.

No?

> 
> > 	- remove the first va_end
> 
> Ya.
> 
> > 	- I didn't think that va_arg would necessarily work properly
> > 	  with a NULL (ie. the NULL termination), since NULL is
> > 	  generally 0 and 0 is an int not a char* so va_arg may not
> > 	  match it?
> 
> Hmm, I had thought that last I looked NULL was void *(0) or 
> something. You are correct though that it is 0 on FreeBSD. and BSDI.

...and AIX and Solaris and SunOS and IRIX.  So should wherever we
call create_argv, like:
	
            execv(r->filename, create_argv(r, argv0, r->args, NULL));

be changed to something like:

            execv(r->filename, create_argv(r, argv0, r->args, (void *)NULL));

?  It works as it is, but is that just the compiler being smarter than it
has to?  I know I have C books somewhere that warn against using NULL
without casting in this situation... 

> 
> 
> > char **create_argv(request_rec *r, char *av0, ...)
> > {
> >     int idx;
> >     char **av;
> >     char *t, *arg;
> >     va_list args;
> > 
> >     av = (char **)palloc(r->pool, APACHE_ARG_MAX);
> >     
> >     av[0] = av0;
> >     idx = 1;
> >     
> >     va_start(args, av0);
> >     while ((arg = va_arg(args, char *)) != NULL) {
> >         if ((t = strtok(arg, "+")) == NULL)
> >             break;
> >         
> >         unescape_url(t);
> >         av[idx] = escape_shell_cmd(r->pool, t);
> >         av[idx] = t;
> >         idx++;
> >         if (idx >= APACHE_ARG_MAX-1) break;
> >         
> >         while ((t = strtok(NULL, "+")) != NULL) {
> >             unescape_url(t);
> >             assert(idx < APACHE_ARG_MAX);
> >             av[idx] = escape_shell_cmd(r->pool, t);
> >             av[idx] = t;
> >             idx++;
> >             if (idx >= APACHE_ARG_MAX-1) break;
> >         }
> >         va_end(args);
> >     }
> >     va_end(args);
> > 
> >     av[idx] = '\0';
> >     return av;
> > }
> > 
> 
> 
> 


Mime
View raw message