Project

General

Profile

Bug #1647

cgi_env_add does not terminate the env list with null

Added by Anonymous over 11 years ago. Updated almost 11 years ago.

Status:
Invalid
Priority:
Normal
Assignee:
-
Category:
mod_cgi
Target version:
Start date:
Due date:
% Done:

0%

Estimated time:
Missing in 1.5.x:

Description

mod_cgi calls execve, which takes a pointer to the environment of the form char* envp[]. The last of those pointers should be null, and every string should be zero terminated.

The function cgi_env_add does not guarantee that the last env pointer will be null. I pasted the corrected code. This code makes sure there's an extra pointer at the end, and after adding the new environment and increasing the count adds a 0 in the last one.

int cgi_env_add(char_array *env, const char *key, size_t key_len, const char *val, size_t val_len) {
char *dst;

if (!key || !val) return -1;
dst = (char*)malloc(key_len + val_len + 3);
memcpy(dst, key, key_len);
dst[[key_len]] = '=';
/* add the \0 from the value */
memcpy(dst + key_len + 1, val, val_len + 1);
if (env->size == 0) {
env->size = 16;
env->ptr = (char**)malloc(env->size * sizeof(env->ptr));
''' } else if (env->size == (env->used+1)) {'''
env->size += 16;
env->ptr = (char
*)realloc(env->ptr, env->size * sizeof(*env->ptr));
}
env->ptr[[env->used++]] = dst;
'''  env->ptr[[env->used]] = 0;'''
return 0;
}

-- mibrahim

History

#1

Updated by stbuehler over 11 years ago

  • Status changed from New to Fixed
  • Resolution set to invalid

Perhaps you should have read where cgi_env_add is used - the environment is fixed before it is used.

#2

Updated by stbuehler almost 11 years ago

  • Status changed from Fixed to Invalid

Also available in: Atom