Hi, Just to pin-point what was the guilty line: +++ b/gweb/gweb.c @@ -611,8 +611,7 @@ static void start_request(struct web_session *session) g_string_append_printf(buf, "%zx\r\n", length); g_string_append_len(buf, (char *) body, length); g_string_append(buf, "\r\n"); + } else if (session->fd == -1) + g_string_append_len(buf, (char *) body, length); + } } }
Let's consider do_request() and start_request() functions: case line 1339: do_request(type=NULL, input=NULL, fd=-1, length=0): -> start_request(): session { content_type=NULL, input_func=NULL, fd=-1, length=0 } -> if (session->content_type != NULL && length > 0) FALSE. does nothing with fd/length, no issue here case line 1364: do_request(type=<val>, input=NULL, fd=<val>, length=<val>): -> start_request(): session { content_type=<val>, input_func=NULL, fd=<val>, length=<val> } -> if (session->content_type != NULL) { if (session->input_func == NULL) { session->more_data = FALSE; length = session->length; } } if (session->content_type != NULL && length > 0) { fd is definitely not -1, so it will work. } case line 1346: do_request(type=<val>, input=<val>, fd=-1, length=0): -> start_request(): session { content_type=<val>, input_func=<val>, fd=-1, length=0 } -> if (session->content_type != NULL) { if (session->input_func == NULL) { ... } else session->more_data = session->input_func(&body, &length, session->user_data); (==> body and length are set, or then length is 0) } if (session->content_type != NULL && length > 0) { (==> length was set before) if (session->more_data == TRUE) { ... OK ... } else if (session->fd == -1) g_string_append_len(buf, (char *) body, length); ==> will work since body and length are valid. } ==> failing point here is not really g_string_append_len(buf, (char *) body, length);, it is session->input_func: if that one does not set properly length and body... then we are screwed. Is it needed to check body's validity against length then? Of course if dev introduce a buggy input_func or provide bogus fd/length for do_request... it's introducing a bug. Imho, input_func has to fullfill properly body and length, so this is a false positive. Tomasz _______________________________________________ connman mailing list connman@connman.net http://lists.connman.net/listinfo/connman