httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jeff Trawick <>
Subject Re: False positive errno test after call to strtol()
Date Fri, 15 Nov 2013 17:38:29 GMT
On Thu, Nov 14, 2013 at 4:11 PM, Mike Rumph <> wrote:

> The man page for strtol() indicate that the function can set errno to
> ERANGE (EINVAL is also possible for some environments).
> But for the errno check to be valid errno should be set to 0 before the
> function call.
> -
> I've reviewed all cases of calls to strtol() in httpd and APR code.
> In some cases no validation is performed after the call.
> In most cases endptr (the second parameter) is checked against the
> beginning and/or ending of the string which does not guarantee against
> numeric overflow.
> In some cases errno is checked for ERANGE.
> I've attached a patch for the simplest case, where errno is checked but
> was not set to 0 before the call.

committed to trunk as r1542338; I'll propose for backport to the 2.4.x

> I will consider working up a more extensive patch, if it is desired.

I suggest posting a couple of examples of what you found first.

> BTW, this discussion is not purely theoretical.
> Erroneous "Invalid ThreadStackSize value: " messages have been witnessed
> in HP-UX environments.
> Thanks,
> Mike Rumph

Born in Roswell... married an alien...

View raw message