webcookies: strdup() file argument to avoid crash (thanks mischief)
mischief reports:
acid: lstk()
abort()+0x0 /sys/src/libc/9sys/abort.c:6
ppanic(p=0x1bff4,fmt=0x1d749)+0x146 /sys/src/libc/port/malloc.c:166
pv=0x1dad8
msg=0x1e4a8
v=0x3ffffe7c
n=0x2f
D2B(p=0x1bff4,v=0x3fffffae)+0x57 /sys/src/libc/port/pool.c:926
a=0x3fffffa4
poolfreel(v=0x3fffffae,p=0x1bff4)+0x20 /sys/src/libc/port/pool.c:1152
ab=0x1dad8
poolfree(p=0x1bff4,v=0x3fffffae)+0x3b /sys/src/libc/port/pool.c:1287
free(v=0x3fffffb6)+0x23 /sys/src/libc/port/malloc.c:250
readjar(file=0x3fffffb6)+0xce /sys/src/cmd/webcookies.c:473
jar=0x1ea28
lock=0x1ea68
p=0x1ea6d
main(argv=0x3fffffa0,argc=0x0)+0x10f /sys/src/cmd/webcookies.c:1295
file=0x3fffffb6
srv=0x0
mtpt=0x1cfd0
_argc=0x66
_args=0x1cfe0
home=0x0
_main+0x31 /sys/src/libc/386/main9.s:16
acid:
This commit is contained in:
cinap_lenrek
parent
1d8f2ac050
commit
bdaa002255
1 changed files with 31 additions and 31 deletions
|
|
@ -448,35 +448,6 @@ syncjar(Jar *jar)
|
|||
return 0;
|
||||
}
|
||||
|
||||
Jar*
|
||||
readjar(char *file)
|
||||
{
|
||||
char *lock, *p;
|
||||
Jar *jar;
|
||||
|
||||
jar = newjar();
|
||||
lock = emalloc9p(strlen(file)+10);
|
||||
strcpy(lock, file);
|
||||
if((p = strrchr(lock, '/')) != nil)
|
||||
p++;
|
||||
else
|
||||
p = lock;
|
||||
memmove(p+2, p, strlen(p)+1);
|
||||
p[0] = 'L';
|
||||
p[1] = '.';
|
||||
jar->lockfile = lock;
|
||||
jar->file = file;
|
||||
jar->dirty = 0;
|
||||
|
||||
if(syncjar(jar) < 0){
|
||||
free(jar->file);
|
||||
free(jar->lockfile);
|
||||
free(jar);
|
||||
return nil;
|
||||
}
|
||||
return jar;
|
||||
}
|
||||
|
||||
void
|
||||
closejar(Jar *jar)
|
||||
{
|
||||
|
|
@ -492,11 +463,41 @@ closejar(Jar *jar)
|
|||
for(i=0; i<jar->nc; i++)
|
||||
freecookie(&jar->c[i]);
|
||||
|
||||
free(jar->lockfile);
|
||||
free(jar->file);
|
||||
free(jar->c);
|
||||
free(jar);
|
||||
}
|
||||
|
||||
Jar*
|
||||
readjar(char *file)
|
||||
{
|
||||
char *lock, *p;
|
||||
Jar *jar;
|
||||
|
||||
jar = newjar();
|
||||
file = estrdup9p(file);
|
||||
lock = emalloc9p(strlen(file)+10);
|
||||
strcpy(lock, file);
|
||||
if((p = strrchr(lock, '/')) != nil)
|
||||
p++;
|
||||
else
|
||||
p = lock;
|
||||
memmove(p+2, p, strlen(p)+1);
|
||||
p[0] = 'L';
|
||||
p[1] = '.';
|
||||
jar->lockfile = lock;
|
||||
jar->file = file;
|
||||
jar->dirty = 0;
|
||||
|
||||
if(syncjar(jar) < 0){
|
||||
closejar(jar);
|
||||
return nil;
|
||||
}
|
||||
return jar;
|
||||
}
|
||||
|
||||
|
||||
/*
|
||||
* Domain name matching is per RFC2109, section 2:
|
||||
*
|
||||
|
|
@ -1152,8 +1153,7 @@ fswrite(Req *r)
|
|||
}
|
||||
}
|
||||
snprint(a->outhttp, AuxBuf, "%J", j);
|
||||
if(j)
|
||||
closejar(j);
|
||||
closejar(j);
|
||||
}else{
|
||||
if(strlen(a->inhttp)+r->ifcall.count >= AuxBuf){
|
||||
respond(r, "http headers too large");
|
||||
|
|
|
|||
Loading…
Reference in a new issue