From 21dc265e54408be4e6bfc763fc71e4509d2ac7cd Mon Sep 17 00:00:00 2001
From: Martin Stjernholm <mast@lysator.liu.se>
Date: Mon, 14 Apr 2003 16:24:03 +0200
Subject: [PATCH] Fixed dereferencing of possibly freed memory, which under
rare circumstances can cause buffer overflows.
Rev: src/modules/_Roxen/roxen.c:1.34
---
src/modules/_Roxen/roxen.c | 14 ++++++++------
1 file changed, 8 insertions(+), 6 deletions(-)
diff --git a/src/modules/_Roxen/roxen.c b/src/modules/_Roxen/roxen.c
index 8df18ae403..1d613379e8 100644
--- a/src/modules/_Roxen/roxen.c
+++ b/src/modules/_Roxen/roxen.c
@@ -2,7 +2,7 @@
|| This file is part of Pike. For copyright information see COPYRIGHT.
|| Pike is distributed under GPL, LGPL and MPL. See the file COPYING
|| for more information.
-|| $Id: roxen.c,v 1.33 2003/03/14 15:57:49 grubba Exp $
+|| $Id: roxen.c,v 1.34 2003/04/14 14:24:03 mast Exp $
*/
#define NO_PIKE_SHORTHAND
@@ -75,6 +75,7 @@ static void f_hp_feed( INT32 args )
{
struct pike_string *str = Pike_sp[-1].u.string;
struct header_buf *hp = THP;
+ int str_len;
int tot_slash_n=hp->slash_n, slash_n = 0, spc = hp->spc;
char *pp,*ep;
struct svalue *tmp;
@@ -86,7 +87,8 @@ static void f_hp_feed( INT32 args )
Pike_error("Wrong type of argument to feed()\n");
if( str->size_shift )
Pike_error("Wide string headers not supported\n");
- while( str->len >= hp->left )
+ str_len = str->len;
+ while( str_len >= hp->left )
{
char *buf;
if( THP->hsize > 512 * 1024 )
@@ -105,11 +107,11 @@ static void f_hp_feed( INT32 args )
THP->pnt = (THP->headers + THP->hsize - THP->left);
}
- MEMCPY( hp->pnt, str->str, str->len );
+ MEMCPY( hp->pnt, str->str, str_len );
pop_n_elems( args );
/* FIXME: The below does not support lines terminated with just \r. */
- for( ep=(hp->pnt+str->len),pp=MAXIMUM(hp->headers,hp->pnt-3);
+ for( ep=(hp->pnt+str_len),pp=MAXIMUM(hp->headers,hp->pnt-3);
pp<ep && slash_n<2; pp++ )
if( *pp == ' ' ) spc++;
else if( *pp == '\n' ) slash_n++, tot_slash_n++;
@@ -118,8 +120,8 @@ static void f_hp_feed( INT32 args )
hp->slash_n = tot_slash_n;
hp->spc = spc;
- hp->left -= str->len;
- hp->pnt += str->len;
+ hp->left -= str_len;
+ hp->pnt += str_len;
hp->pnt[0] = 0;
if( slash_n != 2 )
--
GitLab