Skip Menu |

This queue is for tickets about the HTTP-Server-EV CPAN distribution.

Report information
The Basics
Id: 84669
Status: resolved
Priority: 0/
Queue: HTTP-Server-EV
People
Owner: Nobody in particular
Requestors: ef [...] math.uni-bonn.de
Cc:
AdminCc:
Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)

History Show all quoted text
  Tue Apr 16 10:23:22 2013 ef [...] math.uni-bonn.de - Ticket created
Subject: Stack corruption in HTTP::Server::EV EV.xs
Date: Tue, 16 Apr 2013 16:22:56 +0200
To: bug-HTTP-Server-EV [...] rt.cpan.org
From: Edgar Fuß <ef [...] math.uni-bonn.de>
I noticed stack corruption (caught by gcc's stack protector) on certain requests. It turned out to happen as soon as the name of a HTTP Header exceeded 20. The problem is that sizeof(state->buf) gives you the size of state->buf, i.e. sizeof(char *), not the size of the malloc()'ed area as you seem to expect. There's a similar bug elsewhere where you take sizeof(buf), with buf being a pointer to a struct sockaddr -- you need to take sizeof(*buf) there. Also, you multiply a bunch of values by sizeof(char), which is useless, because it's defined to be 1 -- maybe you do that for aesthetical reasons, though. I didn't change that. The attached patch fixes the two sizeof() issues and make my crashes disappear.

Message body is not shown because sender requested not to inline it.

  Sat Apr 27 10:28:41 2013 NYAKNYAN [...] cpan.org - Correspondence added
Thanks, fixed
  Sat Apr 27 10:28:42 2013 The RT System itself - Status changed from 'new' to 'open'
  Sat Apr 27 10:28:42 2013 NYAKNYAN [...] cpan.org - Status changed from 'open' to 'resolved'