Re: bug in mod_dav.c
On 11/05/2005 11:41 PM, Ruediger Pluem wrote: [..cut..] Good catch. Thank you. I also think that it should be err2-status instead of err-status. I just checked in a patch to the trunk (r331041, http://svn.apache.org/viewcvs.cgi?rev=331041view=rev). Let's wait if there are any objections. If not I will try to get it backported. Now backported to 2.2.x (r332657, http://svn.apache.org/viewcvs.cgi?rev=332657view=rev). and proposed for backport to 2.0.x (r332661, http://svn.apache.org/viewcvs.cgi?rev=332662view=rev). Regards RĂ¼diger
bug in mod_dav.c
Hello, For both httpd-2.0.55 and httpd-2.1.8 there is a bug in modules/dav/main/mod_dav.c. It is a null pointer dereference in some error handling code, so I'm not surprised that no one has noticed this yet. Look at line 2488 (in 2.0.55): if (err != NULL) { return dav_handle_err(r, err, NULL); } if (err2 != NULL) { /* just log a warning */ err = dav_push_error(r-pool, err-status, 0, The MKCOL was successful, but there was a problem automatically checking in the parent collection., err2); dav_log_err(r, err, APLOG_WARNING); } Notice that for execution to pass to the second if statement, err must currently be null. But then within the second if statement, err is immediately used in an argument as err-status. This will clearly result in a null pointer dereference. Perhaps the author intended to write err2-status. Cheers, Ghassan Misherghi
Re: bug in mod_dav.c
On 11/05/2005 09:42 PM, Ghassan Misherghi wrote: Hello, For both httpd-2.0.55 and httpd-2.1.8 there is a bug in modules/dav/main/mod_dav.c. It is a null pointer dereference in some error handling code, so I'm not surprised that no one has noticed this yet. Look at line 2488 (in 2.0.55): if (err != NULL) { return dav_handle_err(r, err, NULL); } if (err2 != NULL) { /* just log a warning */ err = dav_push_error(r-pool, err-status, 0, The MKCOL was successful, but there was a problem automatically checking in the parent collection., err2); dav_log_err(r, err, APLOG_WARNING); } Notice that for execution to pass to the second if statement, err must currently be null. But then within the second if statement, err is immediately used in an argument as err-status. This will clearly result in a null pointer dereference. Perhaps the author intended to write err2-status. Good catch. Thank you. I also think that it should be err2-status instead of err-status. I just checked in a patch to the trunk (r331041, http://svn.apache.org/viewcvs.cgi?rev=331041view=rev). Let's wait if there are any objections. If not I will try to get it backported. Regards RĂ¼diger