httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From r..@covalent.net
Subject Re: cvs commit: apache-2.0/src/main http_protocol.c
Date Fri, 06 Oct 2000 13:43:04 GMT
On Fri, 6 Oct 2000, Greg Stein wrote:

> On Thu, Oct 05, 2000 at 10:40:42PM -0000, rbb@locus.apache.org wrote:
> >...
> >   --- http_protocol.c	2000/10/05 17:32:51	1.144
> >   +++ http_protocol.c	2000/10/05 22:40:28	1.145
> >...
> >   +        b = AP_BRIGADE_FIRST(r->connection->input_data);
> >   +        len_read = len_to_read;
> >   +        rv = b->read(b, &tempbuf, &len_read, 0);
> >   +        if (len_read < b->length) {
> >   +            b->split(b, len_read);
> >   +        }
> >   +        memcpy(buffer, tempbuf, len_read);
> >   +        AP_BUCKET_REMOVE(b);
> >   +        b->destroy(b);
> >   +
> >            r->read_length += len_read;
> >            r->remaining -= len_read;
> >            return len_read;
> 
> This part isn't going to work since b->read() ignores the len_read value
> passed to it. You could very well end up with a len_read > len_to_read. The
> memcpy() could then stomp memory.
> 
> I'm not quite sure what the right answer is, as I haven't tried to grok your
> strategy here. But I figured that I should mention the potential overrun for
> you.

I had a feeling that might be an issue, but I wanted to get this in.  The
solution is to split the bucket if the len_read > len_to_read.  I'll
commit a fix today.

Ryan

_______________________________________________________________________________
Ryan Bloom                        	rbb@apache.org
406 29th St.
San Francisco, CA 94131
-------------------------------------------------------------------------------


Mime
View raw message