Module Name: src
Committed By: christos
Date: Sun Apr 19 19:05:19 UTC 2015
Modified Files:
src/libexec/httpd: cgi-bozo.c
Log Message:
Fix deref "command" after "free(file)", from KIYOHARA Takashi
To generate a diff of this commit:
cvs rdiff -u -r1.25 -r1.26 src/libexec/httpd/cgi-bozo.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/libexec/httpd/cgi-bozo.c
diff -u src/libexec/httpd/cgi-bozo.c:1.25 src/libexec/httpd/cgi-bozo.c:1.26
--- src/libexec/httpd/cgi-bozo.c:1.25 Tue Jun 24 03:23:59 2014
+++ src/libexec/httpd/cgi-bozo.c Sun Apr 19 15:05:19 2015
@@ -1,4 +1,4 @@
-/* $NetBSD: cgi-bozo.c,v 1.25 2014/06/24 07:23:59 shm Exp $ */
+/* $NetBSD: cgi-bozo.c,v 1.26 2015/04/19 19:05:19 christos Exp $ */
/* $eterna: cgi-bozo.c,v 1.40 2011/11/18 09:21:15 mrg Exp $ */
@@ -247,7 +247,8 @@ bozo_process_cgi(bozo_httpreq_t *request
char date[40];
bozoheaders_t *headp;
const char *type, *clen, *info, *cgihandler;
- char *query, *s, *t, *path, *env, *command, *file, *url;
+ char *query, *s, *t, *path, *env, *file, *url;
+ char command[MAXPATHLEN];
char **envp, **curenvp, *argv[4];
char *uri;
size_t len;
@@ -284,7 +285,6 @@ bozo_process_cgi(bozo_httpreq_t *request
path = NULL;
envp = NULL;
cgihandler = NULL;
- command = NULL;
info = NULL;
len = strlen(url);
@@ -309,12 +309,13 @@ bozo_process_cgi(bozo_httpreq_t *request
ix = 0;
if (cgihandler) {
- command = file + 1;
+ snprintf(command, sizeof(command), "%s", file + 1);
path = bozostrdup(httpd, cgihandler);
argv[ix++] = path;
/* argv[] = [ path, command, query, NULL ] */
} else {
- command = file + CGIBIN_PREFIX_LEN + 1;
+ snprintf(command, sizeof(command), "%s",
+ file + CGIBIN_PREFIX_LEN + 1);
if ((s = strchr(command, '/')) != NULL) {
info = bozostrdup(httpd, s);
*s = '\0';
