# HG changeset patch # User Olaf Wintermann # Date 1685554750 -7200 # Node ID 8827517054ec72f06624a42e01fb0a05153a5879 # Parent d511c13ba68d245cd394e0f96f11e600978d03d5 fix cgi response could send an uninitialized buffer diff -r d511c13ba68d -r 8827517054ec src/server/safs/cgi.c --- a/src/server/safs/cgi.c Wed May 31 13:08:49 2023 +0200 +++ b/src/server/safs/cgi.c Wed May 31 19:39:10 2023 +0200 @@ -240,9 +240,7 @@ // copy remaining bytes to the write buffer // we assume there are no remaining bytes in writebuf size_t remaining = size-pos; - if(remaining <= handler->writebuf_alloc) { - memcpy(handler->writebuf, buf+pos, remaining); - } else { + if(remaining > handler->writebuf_alloc) { handler->writebuf_alloc = size > 4096 ? size : 4096; handler->writebuf = pool_realloc(sn->pool, handler->writebuf, handler->writebuf_alloc); if(!handler->writebuf) { @@ -250,6 +248,7 @@ return 1; } } + memcpy(handler->writebuf, buf+pos, remaining); handler->writebuf_size = remaining; handler->writebuf_pos = 0; @@ -261,9 +260,9 @@ } handler->poll_out = TRUE; } - return 1; + } else { + handler->result = REQ_ABORTED; } - handler->result = REQ_ABORTED; return 1; } @@ -293,6 +292,7 @@ // try to flush handler->writebuf // if writebuf is empty, this does nothing and returns 0 if(cgi_try_write_flush(handler, sn)) { + log_ereport(LOG_DEBUG, "cgi-send: req: %p write failed: abort", rq); return handler->result == REQ_ABORTED ? 0 : 1; } @@ -461,6 +461,7 @@ Session *sn = parser->sn; Request *rq = parser->rq; + log_ereport(LOG_DEBUG, "cgi-send: req: %p event-finish", rq); if(handler->result == REQ_ABORTED) { log_ereport(LOG_FAILURE, "cgi-send: kill script: %s", handler->path); kill(handler->process.pid, SIGKILL); @@ -507,6 +508,7 @@ net_setnonblock(sn->csd, 0); // return to nsapi loop + log_ereport(LOG_DEBUG, "cgi-send: req: %p event-finish nsapi return", rq); nsapi_function_return(sn, rq, handler->result); return 0; }