On Thu, Dec 14, 2023 at 04:44:47PM -0500, Ben Kallus wrote:
> memcpy to or from NULL is undefined behavior, even for copies of
> length 0. See this godbolt link for an example of how this can cause
> problems: https://gcc.godbolt.org/z/zfvnMMsds
>
> This patch avoids calling memcpy for 0-length buckets, so that buckets
> with NULL data and 0 length don't cause UB when flattened.
>
> Addresses this bugzilla report from httpd:
> https://bz.apache.org/bugzilla/show_bug.cgi?id=68278
Thanks for the patch, this is an interesting find. Can you say what
bucket type was hit here - e.g. print b->type->name in gdb from inside
apr_brigade_flatten()?
It looks like metadata bucket types tend to give NULL on read() so I'm
guessing that's the case here. It would trip up other apr_brigade_*
functions in similar ways, e.g. split_line looks wrong too. You can make
a case that ignoring FLUSH is "safe" but it's probably undesirable, and
trying to flatten across an EOS is almost certainly wrong.
So I'm not sure, maybe a better/safer response is to catch metadata
buckets and treat them as end-of-brigade or an error rather than
zero-length data buckets. apr_brigade_split_boundary has an API
condition for that to explicitly return APR_INCOMPLETE.
Regards, Joe
>
> --- apr_brigade-old.c 2023-12-14 21:12:48.616409321 +0000 +++
> apr_brigade.c 2023-12-14 21:10:20.477289754 +0000 @@ -278,7 +278,9 @@
> *
> * No, we only copy the data up to their requested size. -- jre
> */
> - memcpy(c, str, str_len);
> + if (str_len > 0) {
> + memcpy(c, str, str_len);
> + }
>
> c += str_len;
> actual += str_len;
>
