xfnw/plan9fox
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

webcookies: strdup() file argument to avoid crash (thanks mischief)

Browse source 
mischief reports:

 acid: lstk()
 abort()+0x0 /sys/src/libc/9sys/abort.c:6
 ppanic(p=0x1bff4,fmt=0x1d749)+0x146 /sys/src/libc/port/malloc.c:166
         pv=0x1dad8
         msg=0x1e4a8
         v=0x3ffffe7c
         n=0x2f
 D2B(p=0x1bff4,v=0x3fffffae)+0x57 /sys/src/libc/port/pool.c:926
         a=0x3fffffa4
 poolfreel(v=0x3fffffae,p=0x1bff4)+0x20 /sys/src/libc/port/pool.c:1152
         ab=0x1dad8
 poolfree(p=0x1bff4,v=0x3fffffae)+0x3b /sys/src/libc/port/pool.c:1287
 free(v=0x3fffffb6)+0x23 /sys/src/libc/port/malloc.c:250
 readjar(file=0x3fffffb6)+0xce /sys/src/cmd/webcookies.c:473
         jar=0x1ea28
         lock=0x1ea68
         p=0x1ea6d
 main(argv=0x3fffffa0,argc=0x0)+0x10f /sys/src/cmd/webcookies.c:1295
         file=0x3fffffb6
         srv=0x0
         mtpt=0x1cfd0
         _argc=0x66
         _args=0x1cfe0
         home=0x0
 _main+0x31 /sys/src/libc/386/main9.s:16
 acid:
This commit is contained in:
cinap_lenrek 2015-11-30 20:08:22 +01:00
parent 1d8f2ac050
commit bdaa002255
1 changed files with 31 additions and 31 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

62
sys/src/cmd/webcookies.c
View file

@ -448,35 +448,6 @@ syncjar(Jar *jar)
return 0;
}
Jar*
readjar(char *file)
{
char *lock, *p;
Jar *jar;
jar = newjar();
lock = emalloc9p(strlen(file)+10);
strcpy(lock, file);
if((p = strrchr(lock, '/')) != nil)
p++;
else
p = lock;
memmove(p+2, p, strlen(p)+1);
p[0] = 'L';
p[1] = '.';
jar->lockfile = lock;
jar->file = file;
jar->dirty = 0;
if(syncjar(jar) < 0){
free(jar->file);
free(jar->lockfile);
free(jar);
return nil;
}
return jar;
}
void
closejar(Jar *jar)
{
@ -492,11 +463,41 @@ closejar(Jar *jar)
for(i=0; i<jar->nc; i++)
freecookie(&jar->c[i]);
free(jar->lockfile);
free(jar->file);
free(jar->c);
free(jar);
}
Jar*
readjar(char *file)
{
char *lock, *p;
Jar *jar;
jar = newjar();
file = estrdup9p(file);
lock = emalloc9p(strlen(file)+10);
strcpy(lock, file);
if((p = strrchr(lock, '/')) != nil)
p++;
else
p = lock;
memmove(p+2, p, strlen(p)+1);
p[0] = 'L';
p[1] = '.';
jar->lockfile = lock;
jar->file = file;
jar->dirty = 0;
if(syncjar(jar) < 0){
closejar(jar);
return nil;
}
return jar;
}
/*
* Domain name matching is per RFC2109, section 2:
*
@ -1152,8 +1153,7 @@ fswrite(Req *r)
}
}
snprint(a->outhttp, AuxBuf, "%J", j);
if(j)
closejar(j);
closejar(j);
}else{
if(strlen(a->inhttp)+r->ifcall.count >= AuxBuf){
respond(r, "http headers too large");