Bug #1647
cgi_env_add does not terminate the env list with null
| Status: | Invalid | Start: | ||
| Priority: | Normal | Due date: | ||
| Assigned to: | - | % Done: | 0% |
|
| Category: | mod_cgi | |||
| Target version: | 1.5.0 | |||
| Pending: | Resolution: | invalid |
||
| Patch available: |
Description
mod_cgi calls execve, which takes a pointer to the environment of the form char* envp[]. The last of those pointers should be null, and every string should be zero terminated.
The function cgi_env_add does not guarantee that the last env pointer will be null. I pasted the corrected code. This code makes sure there's an extra pointer at the end, and after adding the new environment and increasing the count adds a 0 in the last one.
int cgi_env_add(char_array *env, const char *key, size_t key_len, const char *val, size_t val_len) {
char *dst;
''' } else if (env->size == (env->used+1)) {'''
env->size += 16;
env->ptr = (char**)realloc(env->ptr, env->size * sizeof(*env->ptr));
}
}
env->ptrenv->used++ = dst;''' env->ptrenv->used = 0;'''return 0;
-- mibrahim