DO NOT REPLY [Bug 20617] New: - GetServerVariable("ALL_RAW") returns wrong buffer size

[bu...@apache.org]

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=20617>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=20617

GetServerVariable("ALL_RAW") returns wrong buffer size

           Summary: GetServerVariable("ALL_RAW") returns wrong buffer size
           Product: Apache httpd-2.0
           Version: 2.0.46
          Platform: PC
        OS/Version: Windows NT/2K
            Status: NEW
          Severity: Normal
          Priority: Other
         Component: mod_isapi
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: jsp@pkc.com


Line 586 adds two bytes to the length of each header string to allow for
characters that will be added when the string is formatted:

            len += strlen(elts[i].key) + strlen(elts[i].val) + 2;

This is consistent with the commentary that precedes it, however, line 598- 602
actually add three bytes to the header string:

            *(((char*)buf_data)++) = ':';
            *(((char*)buf_data)++) = ' ';
            strcpy(buf_data, elts[i].val);
            ((char*)buf_data) += strlen(elts[i].val);
            *(((char*)buf_data)++) = '\n';

Net result: buf_size is one byte per row too small.  GetServerVariable() is
typically called once with a NULL buffer to establish the required buffer size,
then called again with a newly allocated buffer of the appropriate size.  This
isn't possible if the first call returns too small a size.

The fix is simple: change '2' to '3' in line 586.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org