httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Brian Pane <brian.p...@cnet.com>
Subject Re: mod_include bug(s)?
Date Thu, 28 Mar 2002 01:26:43 GMT
Cliff Woolley wrote:

>On Wed, 27 Mar 2002, Brian Pane wrote:
>
>>>+    if (ctx->curr_tag_pos - ctx->combined_tag > ctx->tag_length)
{
>>>+        *tag = NULL;
>>>+        return;
>>>+    }
>>>
>>My only objection to this is that ctx->curr_tag_pos is supposed
>>to point to a null-terminated copy of the directive, and all the
>>subsequent looping logic in ap_ssi_tag_and_value() depends on
>>that.  Are we hitting a case where this string isn't null-terminated
>>(meaning that the root cause of the problem is somewhere else)?
>>
>
>Yes.  There are at least these two lines:
>
>    *(c-shift_val) = '\0'; /* Overwrites delimiter (term or WS) with NULL. */
>    ctx->curr_tag_pos = ++c;
>

That second one definitely looks bad.  I've just committed a fix for it.
I think the first one (the "*(c-shift_val)...") is safe, as long as
ctx->curr_tag_pos points somewhere within a null-terminated string upon
entry into the function.

--Brian



Mime
View raw message