Re: bug in mod_dav.c

2005-11-11 Thread Ruediger Pluem 


On 11/05/2005 11:41 PM, Ruediger Pluem wrote:
 

[..cut..]

 Good catch. Thank you. I also think that it should be err2-status instead
 of err-status. I just checked in a patch to the trunk
 (r331041, http://svn.apache.org/viewcvs.cgi?rev=331041view=rev).
 Let's wait if there are any objections. If not I will try to get it 
 backported.

Now backported to 2.2.x (r332657, 
http://svn.apache.org/viewcvs.cgi?rev=332657view=rev).
and proposed for backport to 2.0.x (r332661, 
http://svn.apache.org/viewcvs.cgi?rev=332662view=rev).

Regards

RĂ¼diger

bug in mod_dav.c

2005-11-05 Thread Ghassan Misherghi 

Hello,

For both httpd-2.0.55 and httpd-2.1.8 there is a bug in
modules/dav/main/mod_dav.c.  It is a null pointer dereference in some error
handling code, so I'm not surprised that no one has noticed this yet.

Look at line 2488 (in 2.0.55):

  if (err != NULL) {
  return dav_handle_err(r, err, NULL);
  }
  if (err2 != NULL) {
  /* just log a warning */
  err = dav_push_error(r-pool, err-status, 0,
   The MKCOL was successful, but there 
   was a problem automatically checking in 
   the parent collection.,
   err2);
  dav_log_err(r, err, APLOG_WARNING);
  }

Notice that for execution to pass to the second if statement, err must
currently be null.  But then within the second if statement, err is
immediately used in an argument as err-status.  This will clearly
result in a null pointer dereference.  Perhaps the author intended to write
err2-status.

Cheers,
Ghassan Misherghi

Re: bug in mod_dav.c

2005-11-05 Thread Ruediger Pluem 


On 11/05/2005 09:42 PM, Ghassan Misherghi wrote:
 Hello,
 
 For both httpd-2.0.55 and httpd-2.1.8 there is a bug in
 modules/dav/main/mod_dav.c.  It is a null pointer dereference in some error
 handling code, so I'm not surprised that no one has noticed this yet.
 
 Look at line 2488 (in 2.0.55):
 
   if (err != NULL) {
   return dav_handle_err(r, err, NULL);
   }
   if (err2 != NULL) {
   /* just log a warning */
   err = dav_push_error(r-pool, err-status, 0,
The MKCOL was successful, but there 
was a problem automatically checking in 
the parent collection.,
err2);
   dav_log_err(r, err, APLOG_WARNING);
   }
 
 Notice that for execution to pass to the second if statement, err must
 currently be null.  But then within the second if statement, err is
 immediately used in an argument as err-status.  This will clearly
 result in a null pointer dereference.  Perhaps the author intended to write
 err2-status.

Good catch. Thank you. I also think that it should be err2-status instead
of err-status. I just checked in a patch to the trunk
(r331041, http://svn.apache.org/viewcvs.cgi?rev=331041view=rev).
Let's wait if there are any objections. If not I will try to get it backported.

Regards

RĂ¼diger