shithub: riscv

Download patch

ref: bdaa0022550a319c42de5f019d22a40625845182
parent: 1d8f2ac0502bff4c3d92f431f20680e27255a896
author: cinap_lenrek <[email protected]>
date: Mon Nov 30 15:08:22 EST 2015

webcookies: strdup() file argument to avoid crash (thanks mischief)

mischief reports:

 acid: lstk()
 abort()+0x0 /sys/src/libc/9sys/abort.c:6
 ppanic(p=0x1bff4,fmt=0x1d749)+0x146 /sys/src/libc/port/malloc.c:166
         pv=0x1dad8
         msg=0x1e4a8
         v=0x3ffffe7c
         n=0x2f
 D2B(p=0x1bff4,v=0x3fffffae)+0x57 /sys/src/libc/port/pool.c:926
         a=0x3fffffa4
 poolfreel(v=0x3fffffae,p=0x1bff4)+0x20 /sys/src/libc/port/pool.c:1152
         ab=0x1dad8
 poolfree(p=0x1bff4,v=0x3fffffae)+0x3b /sys/src/libc/port/pool.c:1287
 free(v=0x3fffffb6)+0x23 /sys/src/libc/port/malloc.c:250
 readjar(file=0x3fffffb6)+0xce /sys/src/cmd/webcookies.c:473
         jar=0x1ea28
         lock=0x1ea68
         p=0x1ea6d
 main(argv=0x3fffffa0,argc=0x0)+0x10f /sys/src/cmd/webcookies.c:1295
         file=0x3fffffb6
         srv=0x0
         mtpt=0x1cfd0
         _argc=0x66
         _args=0x1cfe0
         home=0x0
 _main+0x31 /sys/src/libc/386/main9.s:16
 acid:

--- a/sys/src/cmd/webcookies.c
+++ b/sys/src/cmd/webcookies.c
@@ -448,6 +448,27 @@
 	return 0;
 }
 
+void
+closejar(Jar *jar)
+{
+	int i;
+
+	if(jar == nil)
+		return;
+	expirejar(jar, 0);
+	if(jar->dirty)
+		if(syncjar(jar) < 0)
+			fprint(2, "warning: cannot rewrite cookie jar: %r\n");
+
+	for(i=0; i<jar->nc; i++)
+		freecookie(&jar->c[i]);
+
+	free(jar->lockfile);
+	free(jar->file);
+	free(jar->c);
+	free(jar);	
+}
+
 Jar*
 readjar(char *file)
 {
@@ -455,6 +476,7 @@
 	Jar *jar;
 
 	jar = newjar();
+	file = estrdup9p(file);
 	lock = emalloc9p(strlen(file)+10);
 	strcpy(lock, file);
 	if((p = strrchr(lock, '/')) != nil)
@@ -469,34 +491,13 @@
 	jar->dirty = 0;
 
 	if(syncjar(jar) < 0){
-		free(jar->file);
-		free(jar->lockfile);
-		free(jar);
+		closejar(jar);
 		return nil;
 	}
 	return jar;
 }
 
-void
-closejar(Jar *jar)
-{
-	int i;
 
-	if(jar == nil)
-		return;
-	expirejar(jar, 0);
-	if(jar->dirty)
-		if(syncjar(jar) < 0)
-			fprint(2, "warning: cannot rewrite cookie jar: %r\n");
-
-	for(i=0; i<jar->nc; i++)
-		freecookie(&jar->c[i]);
-
-	free(jar->file);
-	free(jar->c);
-	free(jar);	
-}
-
 /*
  * Domain name matching is per RFC2109, section 2:
  *
@@ -1152,8 +1153,7 @@
 				}
 			}
 			snprint(a->outhttp, AuxBuf, "%J", j);
-			if(j)
-				closejar(j);
+			closejar(j);
 		}else{
 			if(strlen(a->inhttp)+r->ifcall.count >= AuxBuf){
 				respond(r, "http headers too large");