httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ghassan Misherghi <ghass...@ucdavis.edu>
Subject bug in mod_dav.c
Date Sat, 05 Nov 2005 20:42:48 GMT
Hello,

For both httpd-2.0.55 and httpd-2.1.8 there is a bug in
modules/dav/main/mod_dav.c.  It is a null pointer dereference in some error
handling code, so I'm not surprised that no one has noticed this yet.

Look at line 2488 (in 2.0.55):

   if (err != NULL) {
       return dav_handle_err(r, err, NULL);
   }
   if (err2 != NULL) {
       /* just log a warning */
       err = dav_push_error(r->pool, err->status, 0,
                            "The MKCOL was successful, but there "
                            "was a problem automatically checking in "
                            "the parent collection.",
                            err2);
       dav_log_err(r, err, APLOG_WARNING);
   }

Notice that for execution to pass to the second if statement, err must
currently be null.  But then within the second if statement, err is
immediately used in an argument as "err->status".  This will clearly
result in a null pointer dereference.  Perhaps the author intended to write
"err2->status".

Cheers,
Ghassan Misherghi

Mime
View raw message