bozohttpd accesses free()-ed memory

To: current-users%netbsd.org@localhost
Subject: bozohttpd accesses free()-ed memory
From: KIYOHARA Takashi <kiyohara%kk.iij4u.or.jp@localhost>
Date: Sun, 19 Apr 2015 23:25:58 +0900 (JST)

Hi!


I report this problem.

The bozohttpd accesses to free()-ed memory in bozo_process_cgi().
I encounter segmentation fault on Linux with original bozohttpd.


http://cvsweb.netbsd.org/bsdweb.cgi/src/libexec/httpd/cgi-bozo.c?rev=1.25&content-type=text/x-cvsweb-markup&only_with_tag=MAIN

int
bozo_process_cgi(bozo_httpreq_t *request)
{
	:

	char  *query, *s, *t, *path, *env, *command, *file, *url;

	:

	if (uri[0] == '/')
	   	file = bozostrdup(httpd, uri);
	else
		asprintf(&file, "/%s", uri);
	:

	if (cgihandler) {
		command = file + 1;

		:
	} else {
		command = file + CGIBIN_PREFIX_LEN + 1;

		:
	}
	argv[ix++] = command;		<-- command points file + n.

	:

	free(file);

	:

	switch (fork()) {
	        :
	case 0:
		:

		if (-1 == execve(path, argv, envp))	<-- accesses free()-ed memory.

		:
	}

Thanks,
--
kiyohara

Prev by Date: daily CVS update output
Next by Date: daily CVS update output
Previous by Thread: daily CVS update output
Next by Thread: daily CVS update output
Indexes:

Home | Main Index | Thread Index | Old Index