ref: bdaa0022550a319c42de5f019d22a40625845182
parent: 1d8f2ac0502bff4c3d92f431f20680e27255a896
author: cinap_lenrek <[email protected]>
date: Mon Nov 30 15:08:22 EST 2015
webcookies: strdup() file argument to avoid crash (thanks mischief) mischief reports: acid: lstk() abort()+0x0 /sys/src/libc/9sys/abort.c:6 ppanic(p=0x1bff4,fmt=0x1d749)+0x146 /sys/src/libc/port/malloc.c:166 pv=0x1dad8 msg=0x1e4a8 v=0x3ffffe7c n=0x2f D2B(p=0x1bff4,v=0x3fffffae)+0x57 /sys/src/libc/port/pool.c:926 a=0x3fffffa4 poolfreel(v=0x3fffffae,p=0x1bff4)+0x20 /sys/src/libc/port/pool.c:1152 ab=0x1dad8 poolfree(p=0x1bff4,v=0x3fffffae)+0x3b /sys/src/libc/port/pool.c:1287 free(v=0x3fffffb6)+0x23 /sys/src/libc/port/malloc.c:250 readjar(file=0x3fffffb6)+0xce /sys/src/cmd/webcookies.c:473 jar=0x1ea28 lock=0x1ea68 p=0x1ea6d main(argv=0x3fffffa0,argc=0x0)+0x10f /sys/src/cmd/webcookies.c:1295 file=0x3fffffb6 srv=0x0 mtpt=0x1cfd0 _argc=0x66 _args=0x1cfe0 home=0x0 _main+0x31 /sys/src/libc/386/main9.s:16 acid:
--- a/sys/src/cmd/webcookies.c
+++ b/sys/src/cmd/webcookies.c
@@ -448,6 +448,27 @@
return 0;
}
+void
+closejar(Jar *jar)
+{
+ int i;
+
+ if(jar == nil)
+ return;
+ expirejar(jar, 0);
+ if(jar->dirty)
+ if(syncjar(jar) < 0)
+ fprint(2, "warning: cannot rewrite cookie jar: %r\n");
+
+ for(i=0; i<jar->nc; i++)
+ freecookie(&jar->c[i]);
+
+ free(jar->lockfile);
+ free(jar->file);
+ free(jar->c);
+ free(jar);
+}
+
Jar*
readjar(char *file)
{
@@ -455,6 +476,7 @@
Jar *jar;
jar = newjar();
+ file = estrdup9p(file);
lock = emalloc9p(strlen(file)+10);
strcpy(lock, file);
if((p = strrchr(lock, '/')) != nil)
@@ -469,34 +491,13 @@
jar->dirty = 0;
if(syncjar(jar) < 0){
- free(jar->file);
- free(jar->lockfile);
- free(jar);
+ closejar(jar);
return nil;
}
return jar;
}
-void
-closejar(Jar *jar)
-{
- int i;
- if(jar == nil)
- return;
- expirejar(jar, 0);
- if(jar->dirty)
- if(syncjar(jar) < 0)
- fprint(2, "warning: cannot rewrite cookie jar: %r\n");
-
- for(i=0; i<jar->nc; i++)
- freecookie(&jar->c[i]);
-
- free(jar->file);
- free(jar->c);
- free(jar);
-}
-
/*
* Domain name matching is per RFC2109, section 2:
*
@@ -1152,8 +1153,7 @@
}
}
snprint(a->outhttp, AuxBuf, "%J", j);
- if(j)
- closejar(j);
+ closejar(j);
}else{
if(strlen(a->inhttp)+r->ifcall.count >= AuxBuf){
respond(r, "http headers too large");