fix cgi response could send an uninitialized buffer

Wed, 31 May 2023 19:39:10 +0200

author
Olaf Wintermann <olaf.wintermann@gmail.com>
date
Wed, 31 May 2023 19:39:10 +0200
changeset 497
8827517054ec
parent 496
d511c13ba68d
child 498
0d80f8a2b29f

fix cgi response could send an uninitialized buffer

src/server/safs/cgi.c file | annotate | diff | comparison | revisions
--- a/src/server/safs/cgi.c	Wed May 31 13:08:49 2023 +0200
+++ b/src/server/safs/cgi.c	Wed May 31 19:39:10 2023 +0200
@@ -240,9 +240,7 @@
             // copy remaining bytes to the write buffer
             // we assume there are no remaining bytes in writebuf
             size_t remaining = size-pos;
-            if(remaining <= handler->writebuf_alloc) {
-                memcpy(handler->writebuf, buf+pos, remaining);
-            } else {
+            if(remaining > handler->writebuf_alloc) {
                 handler->writebuf_alloc = size > 4096 ? size : 4096;
                 handler->writebuf = pool_realloc(sn->pool, handler->writebuf, handler->writebuf_alloc);
                 if(!handler->writebuf) {
@@ -250,6 +248,7 @@
                     return 1;
                 }
             }
+            memcpy(handler->writebuf, buf+pos, remaining);
             handler->writebuf_size = remaining;
             handler->writebuf_pos = 0;
             
@@ -261,9 +260,9 @@
                 }
                 handler->poll_out = TRUE;
             }
-            return 1;
+        } else {
+            handler->result = REQ_ABORTED;
         }
-        handler->result = REQ_ABORTED;
         return 1;
     }
     
@@ -293,6 +292,7 @@
     // try to flush handler->writebuf
     // if writebuf is empty, this does nothing and returns 0
     if(cgi_try_write_flush(handler, sn)) {
+        log_ereport(LOG_DEBUG, "cgi-send: req: %p write failed: abort", rq);
         return handler->result == REQ_ABORTED ? 0 : 1;
     }
     
@@ -461,6 +461,7 @@
     Session *sn = parser->sn;
     Request *rq = parser->rq;
       
+    log_ereport(LOG_DEBUG, "cgi-send: req: %p event-finish", rq);
     if(handler->result == REQ_ABORTED) {
         log_ereport(LOG_FAILURE, "cgi-send: kill script: %s", handler->path);
         kill(handler->process.pid, SIGKILL);
@@ -507,6 +508,7 @@
     net_setnonblock(sn->csd, 0);
     
     // return to nsapi loop
+    log_ereport(LOG_DEBUG, "cgi-send: req: %p event-finish nsapi return", rq);
     nsapi_function_return(sn, rq, handler->result);
     return 0;
 }

mercurial