The man page for strtol() indicate that the function can set errno to
ERANGE (EINVAL is also possible for some environments).
But for the errno check to be valid errno should be set to 0 before the
function call.
- http://linux.die.net/man/3/strtol
I've reviewed all cases of calls to strtol() in httpd and APR code.
In some cases no validation is performed after the call.
In most cases endptr (the second parameter) is checked against the
beginning and/or ending of the string which does not guarantee against
numeric overflow.
In some cases errno is checked for ERANGE.
I've attached a patch for the simplest case, where errno is checked but
was not set to 0 before the call.
I will consider working up a more extensive patch, if it is desired.
BTW, this discussion is not purely theoretical.
Erroneous "Invalid ThreadStackSize value: " messages have been witnessed
in HP-UX environments.
Thanks,
Mike Rumph
Index: server/mpm_common.c
===================================================================
--- server/mpm_common.c (revision 1542069)
+++ server/mpm_common.c (working copy)
@@ -389,6 +389,7 @@
return err;
}
+ errno = 0;
value = strtol(arg, NULL, 10);
if (value < 0 || errno == ERANGE)
return apr_pstrcat(cmd->pool, "Invalid MaxMemFree value: ",
@@ -408,6 +409,7 @@
return err;
}
+ errno = 0;
value = strtol(arg, NULL, 10);
if (value < 0 || errno == ERANGE)
return apr_pstrcat(cmd->pool, "Invalid ThreadStackSize value: ",
