summaryrefslogtreecommitdiffstats
path: root/server
diff options
context:
space:
mode:
authorGiovanni Bechis <gbechis@apache.org>2023-04-05 08:38:18 +0200
committerGiovanni Bechis <gbechis@apache.org>2023-04-05 08:38:18 +0200
commit24007faa4f5cb59e494feb764e3a247018dc3907 (patch)
tree249a9996ce944cc977f0fd086c9b1bbd33157b01 /server
parentFix a possible NULL pointer dereference of ap_runtime_dir_relative() (diff)
downloadapache2-24007faa4f5cb59e494feb764e3a247018dc3907.tar.xz
apache2-24007faa4f5cb59e494feb764e3a247018dc3907.zip
Fix possible NULL pointer dereference casued by apreq_param_make()
The function apreq_param_make() will return NULL on failure. However NULL check are forgetten before derenference, which could lead to NULL pointer dereference. Adding NULL check to all use of apreq_param_make(). Submitted by: Zhou Qingyang <zhou1615@umn.edu> Github: closes #303 git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1908981 13f79535-47bb-0310-9956-ffa450edef68
Diffstat (limited to 'server')
-rw-r--r--server/apreq_module_cgi.c8
-rw-r--r--server/apreq_parser.c2
-rw-r--r--server/apreq_parser_header.c2
-rw-r--r--server/apreq_parser_multipart.c8
-rw-r--r--server/apreq_parser_urlencoded.c2
5 files changed, 22 insertions, 0 deletions
diff --git a/server/apreq_module_cgi.c b/server/apreq_module_cgi.c
index eaf4e99ef4..d67371b4df 100644
--- a/server/apreq_module_cgi.c
+++ b/server/apreq_module_cgi.c
@@ -562,6 +562,8 @@ static apr_status_t cgi_args(apreq_handle_t *handle,
if (val == NULL)
val = "";
p = apreq_param_make(handle->pool, name, strlen(name), val, strlen(val));
+ if (p == NULL)
+ return APR_ENOMEM;
apreq_param_tainted_on(p);
apreq_value_table_add(&p->v, req->args);
val = p->v.data;
@@ -642,6 +644,8 @@ static apreq_param_t *cgi_args_get(apreq_handle_t *handle,
if (val == NULL)
return NULL;
p = apreq_param_make(handle->pool, name, strlen(name), val, strlen(val));
+ if (p == NULL)
+ return NULL;
apreq_param_tainted_on(p);
apreq_value_table_add(&p->v, req->args);
val = p->v.data;
@@ -678,6 +682,8 @@ static apr_status_t cgi_body(apreq_handle_t *handle,
if (val == NULL)
val = "";
p = apreq_param_make(handle->pool, name, strlen(name), val, strlen(val));
+ if (p == NULL)
+ return APR_ENOMEM;
apreq_param_tainted_on(p);
apreq_value_table_add(&p->v, req->body);
val = p->v.data;
@@ -720,6 +726,8 @@ static apreq_param_t *cgi_body_get(apreq_handle_t *handle,
if (val == NULL)
return NULL;
p = apreq_param_make(handle->pool, name, strlen(name), val, strlen(val));
+ if (p == NULL)
+ return NULL;
apreq_param_tainted_on(p);
apreq_value_table_add(&p->v, req->body);
val = p->v.data;
diff --git a/server/apreq_parser.c b/server/apreq_parser.c
index 700cc43fac..f418887303 100644
--- a/server/apreq_parser.c
+++ b/server/apreq_parser.c
@@ -228,6 +228,8 @@ APREQ_DECLARE_PARSER(apreq_parse_generic)
ctx->status = GEN_INCOMPLETE;
ctx->param = apreq_param_make(pool,
"_dummy_", strlen("_dummy_"), "", 0);
+ if (ctx->param == NULL)
+ return APR_ENOMEM;
ctx->param->upload = apr_brigade_create(pool, parser->bucket_alloc);
ctx->param->info = apr_table_make(pool, APREQ_DEFAULT_NELTS);
}
diff --git a/server/apreq_parser_header.c b/server/apreq_parser_header.c
index 6f72f563fd..e3c789eb12 100644
--- a/server/apreq_parser_header.c
+++ b/server/apreq_parser_header.c
@@ -84,6 +84,8 @@ static apr_status_t consume_header_line(apreq_param_t **p,
int i, eol = 0;
param = apreq_param_make(pool, NULL, nlen, NULL, vlen);
+ if (param == NULL)
+ return APR_ENOMEM;
*(const apreq_value_t **)&v = &param->v;
arr.pool = pool;
diff --git a/server/apreq_parser_multipart.c b/server/apreq_parser_multipart.c
index f280d2afc9..2bea98efbd 100644
--- a/server/apreq_parser_multipart.c
+++ b/server/apreq_parser_multipart.c
@@ -472,6 +472,8 @@ APREQ_DECLARE_PARSER(apreq_parse_multipart)
param = apreq_param_make(pool, name, nlen,
filename, flen);
+ if (param == NULL)
+ return APR_ENOMEM;
apreq_param_tainted_on(param);
param->info = ctx->info;
param->upload
@@ -505,6 +507,8 @@ APREQ_DECLARE_PARSER(apreq_parse_multipart)
nlen = strlen(name);
param = apreq_param_make(pool, name, nlen,
filename, flen);
+ if (param == NULL)
+ return APR_ENOMEM;
apreq_param_tainted_on(param);
param->info = ctx->info;
param->upload = apr_brigade_create(pool,
@@ -532,6 +536,8 @@ APREQ_DECLARE_PARSER(apreq_parse_multipart)
flen = 0;
param = apreq_param_make(pool, name, nlen,
filename, flen);
+ if (param == NULL)
+ return APR_ENOMEM;
apreq_param_tainted_on(param);
param->info = ctx->info;
param->upload = apr_brigade_create(pool,
@@ -569,6 +575,8 @@ APREQ_DECLARE_PARSER(apreq_parse_multipart)
param = apreq_param_make(pool, ctx->param_name,
strlen(ctx->param_name),
NULL, len);
+ if (param == NULL)
+ return APR_ENOMEM;
apreq_param_tainted_on(param);
param->info = ctx->info;
diff --git a/server/apreq_parser_urlencoded.c b/server/apreq_parser_urlencoded.c
index e90d0dd382..fd8945596c 100644
--- a/server/apreq_parser_urlencoded.c
+++ b/server/apreq_parser_urlencoded.c
@@ -64,6 +64,8 @@ static apr_status_t split_urlword(apreq_param_t **p, apr_pool_t *pool,
return APR_EBADARG;
param = apreq_param_make(pool, NULL, nlen, NULL, vlen);
+ if (param == NULL)
+ return APR_ENOMEM;
*(const apreq_value_t **)&v = &param->v;
arr.pool = pool;