httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Greg Stein <gst...@lyra.org>
Subject Re: cvs commit: apache-2.0/src/main http_protocol.c
Date Fri, 06 Oct 2000 09:37:35 GMT
On Thu, Oct 05, 2000 at 10:40:42PM -0000, rbb@locus.apache.org wrote:
>...
>   --- http_protocol.c	2000/10/05 17:32:51	1.144
>   +++ http_protocol.c	2000/10/05 22:40:28	1.145
>...
>   +        b = AP_BRIGADE_FIRST(r->connection->input_data);
>   +        len_read = len_to_read;
>   +        rv = b->read(b, &tempbuf, &len_read, 0);
>   +        if (len_read < b->length) {
>   +            b->split(b, len_read);
>   +        }
>   +        memcpy(buffer, tempbuf, len_read);
>   +        AP_BUCKET_REMOVE(b);
>   +        b->destroy(b);
>   +
>            r->read_length += len_read;
>            r->remaining -= len_read;
>            return len_read;

This part isn't going to work since b->read() ignores the len_read value
passed to it. You could very well end up with a len_read > len_to_read. The
memcpy() could then stomp memory.

I'm not quite sure what the right answer is, as I haven't tried to grok your
strategy here. But I figured that I should mention the potential overrun for
you.

Cheers,
-g

-- 
Greg Stein, http://www.lyra.org/

Mime
View raw message