On Wed, 27 Mar 2002, Brian Pane wrote:
> >+ if (ctx->curr_tag_pos - ctx->combined_tag > ctx->tag_length) {
> >+ *tag = NULL;
> >+ return;
> >+ }
>
> My only objection to this is that ctx->curr_tag_pos is supposed
> to point to a null-terminated copy of the directive, and all the
> subsequent looping logic in ap_ssi_tag_and_value() depends on
> that. Are we hitting a case where this string isn't null-terminated
> (meaning that the root cause of the problem is somewhere else)?
Yes. There are at least these two lines:
*(c-shift_val) = '\0'; /* Overwrites delimiter (term or WS) with NULL. */
ctx->curr_tag_pos = ++c;
.... what if c points to the null terminating character at the very end of
the last value with shift_val==0 (thought that shouldn't matter). We
overwrite the null char with another null char and then set curr_tag_pos
to be just past the null char. All of the sudden we have curr_tag_pos
pointing to arbitrary garbage. It seems to me that the same thing could
happen in slightly different circumstances in all of the places in
ap_ssi_get_tag_and_value() where ctx->curr_tag_pos is set, since it's
always set to be the character just *after* one we know to be a null
terminator.
> I'm willing to take a look at this later today. The only problem
> is that I can't recreate this problem (or the first one) with the
> latest CVS head of httpd-test and httpd-2.0. Is there any special
> configuration needed to trigger the bug?
Apply the latest rev of my buckets api patch and it will be magically
uncovered [at least I think it's magical and not my fault ;]. Then it
will crop up in if6.shtml and if7.shtml (tests 30 and 31 of
modules/include.t I think). Only one of them will "fail", but if you look
at t/logs/error_log and search for if6.shtml you'll see what I'm talking
about.
--Cliff
--------------------------------------------------------------
Cliff Woolley
[EMAIL PROTECTED]
Charlottesville, VA
