1. tried to free the same thing twice
2. wrote over malloc'ed buffer, typical array overflow problem because
arrays are 0 -based and we just wrote into array[length], so I increased
the whole buffer by 1 so I can leave the code as a whole alone. Probably
looks a little ugly now, but I didn't want to try a bigger rewrite.
>From 5421778428053d355d14344999219eca31ae4b41 Mon Sep 17 00:00:00 2001
From: hio_ <[email protected]>
Date: Mon, 14 Nov 2011 21:54:18 +0100
Subject: [PATCH 2/2] two bugs I quickfixed
---
src/mk_connection.c | 2 +-
src/mk_request.c | 6 +++---
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/src/mk_connection.c b/src/mk_connection.c
index 5789971..2b40743 100644
--- a/src/mk_connection.c
+++ b/src/mk_connection.c
@@ -142,7 +142,7 @@ int mk_conn_write(int socket)
}
else if (ret == 0) {
if (mk_http_request_end(socket) < 0) {
- mk_request_free_list(cs);
+ // mk_request_free_list(cs);
return -1;
}
else {
diff --git a/src/mk_request.c b/src/mk_request.c
index afb6614..ed09f27 100644
--- a/src/mk_request.c
+++ b/src/mk_request.c
@@ -558,14 +558,14 @@ int mk_handler_read(int socket, struct client_session *cs)
*/
if (cs->body == cs->body_fixed) {
MK_TRACE("Fixed to dynamic");
- cs->body = mk_mem_malloc(new_size);
+ cs->body = mk_mem_malloc(new_size+1);
cs->body_size = new_size;
memcpy(cs->body, cs->body_fixed, cs->body_length);
MK_TRACE("Size: %i, Length: %i", new_size, cs->body_length);
}
else {
MK_TRACE("Realloc from %i to %i", cs->body_size, new_size);
- tmp = mk_mem_realloc(cs->body, new_size);
+ tmp = mk_mem_realloc(cs->body, new_size+1);
if (tmp) {
cs->body = tmp;
cs->body_size = new_size;
@@ -580,7 +580,7 @@ int mk_handler_read(int socket, struct client_session *cs)
/* Read content */
bytes = mk_socket_read(socket, cs->body + cs->body_length,
(cs->body_size - cs->body_length));
-
+
MK_TRACE("[FD %i] read %i", socket, bytes);
if (bytes < 0) {
--
1.7.7
_______________________________________________
Monkey mailing list
[email protected]
http://lists.monkey-project.com/listinfo/monkey
