trafficserver-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From zw...@apache.org
Subject svn commit: r1180759 - in /trafficserver/traffic/trunk: CHANGES proxy/StatPages.cc proxy/StatSystem.cc
Date Mon, 10 Oct 2011 02:02:41 GMT
Author: zwoop
Date: Mon Oct 10 02:02:39 2011
New Revision: 1180759

URL: http://svn.apache.org/viewvc?rev=1180759&view=rev
Log:
TS-979 Found a few places where we can segfault with strlcpy

Modified:
    trafficserver/traffic/trunk/CHANGES
    trafficserver/traffic/trunk/proxy/StatPages.cc
    trafficserver/traffic/trunk/proxy/StatSystem.cc

Modified: trafficserver/traffic/trunk/CHANGES
URL: http://svn.apache.org/viewvc/trafficserver/traffic/trunk/CHANGES?rev=1180759&r1=1180758&r2=1180759&view=diff
==============================================================================
--- trafficserver/traffic/trunk/CHANGES (original)
+++ trafficserver/traffic/trunk/CHANGES Mon Oct 10 02:02:39 2011
@@ -1,5 +1,7 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache Traffic Server 3.1.1
+  *) [TS-979] Found a few places where we can segfault with strlcpy.
+
   *) [TS-938] Fix VIA to avoid loopback address.
 
   *) [TS-945] Convert transparent forward requests to server style when

Modified: trafficserver/traffic/trunk/proxy/StatPages.cc
URL: http://svn.apache.org/viewvc/trafficserver/traffic/trunk/proxy/StatPages.cc?rev=1180759&r1=1180758&r2=1180759&view=diff
==============================================================================
--- trafficserver/traffic/trunk/proxy/StatPages.cc (original)
+++ trafficserver/traffic/trunk/proxy/StatPages.cc Mon Oct 10 02:02:39 2011
@@ -73,12 +73,15 @@ StatPagesManager::handle_http(Continuati
   if (((m_enabled == 1 || m_enabled == 3) && is_cache_inspector_page(url)) ||
       ((m_enabled == 2 || m_enabled == 3) && is_stat_page(url) && !is_cache_inspector_page(url)))
{
     int host_len;
-    char host[1024];
+    char host[MAXDNAME + 1];
     const char *h;
     int i;
 
     h = url->host_get(&host_len);
-    ink_strlcpy(host, h, sizeof(host));
+    if (host_len > MAXDNAME)
+      host_len = MAXDNAME;
+    memcpy(host, h, host_len);
+    host[host_len] = '\0';
     host_len = unescapifyStr(host);
 
     for (i = 0; i < n_stat_pages; i++) {
@@ -92,16 +95,18 @@ StatPagesManager::handle_http(Continuati
   return ACTION_RESULT_DONE;
 }
 
-bool StatPagesManager::is_stat_page(URL * url)
+bool
+StatPagesManager::is_stat_page(URL * url)
 {
   int length;
   const char *h = url->host_get(&length);
-  char host[1024];
+  char host[MAXDNAME + 1];
 
-  if (h == NULL || length < 2)
+  if (h == NULL || length < 2 || length > MAXDNAME)
     return false;
 
-  ink_strlcpy(host, h, sizeof(host));
+  memcpy(host, h, length);
+  host[length] = '\0';
   length = unescapifyStr(host);
 
   if ((host[0] == '{') && (host[length - 1] == '}'))
@@ -110,16 +115,18 @@ bool StatPagesManager::is_stat_page(URL 
   return false;
 }
 
-bool StatPagesManager::is_cache_inspector_page(URL * url)
+bool
+StatPagesManager::is_cache_inspector_page(URL * url)
 {
   int length;
   const char *h = url->host_get(&length);
-  char host[1024];
+  char host[MAXDNAME + 1];
 
-  if (h == NULL || length < 2)
+  if (h == NULL || length < 2 || length > MAXDNAME)
     return false;
 
-  ink_strlcpy(host, h, sizeof(host));
+  memcpy(host, h, length);
+  host[length] = '\0';
   length = unescapifyStr(host);
 
   if (strncmp(host, "{cache}", length) == 0)

Modified: trafficserver/traffic/trunk/proxy/StatSystem.cc
URL: http://svn.apache.org/viewvc/trafficserver/traffic/trunk/proxy/StatSystem.cc?rev=1180759&r1=1180758&r2=1180759&view=diff
==============================================================================
--- trafficserver/traffic/trunk/proxy/StatSystem.cc (original)
+++ trafficserver/traffic/trunk/proxy/StatSystem.cc Mon Oct 10 02:02:39 2011
@@ -406,20 +406,20 @@ stat_callback(Continuation * cont, HTTPH
   url = header->url_get();
   path = url->path_get(&length);
 
-
   char *buffer = NULL;
   int buffer_len = 0;
   int num_prefix_buffer;
 
   char *var_prefix = (char *)alloca((length + 1) * sizeof(char));
+
   memset(var_prefix, 0, ((length + 1) * sizeof(char)));
-  ink_strlcpy(var_prefix, path, length + 1);
+  if (path && length > 0)
+    ink_strlcpy(var_prefix, path, length + 1);
 
   num_prefix_buffer = RecGetRecordPrefix_Xmalloc(var_prefix, &buffer, &buffer_len);
   empty = (num_prefix_buffer == 0);
 
   if (!empty) {
-
     result_size = (buffer_len + 16) * sizeof(char);
     result = (char *)ats_malloc(result_size);
     memset(result, 0, result_size);



Mime
View raw message