On Wed, Feb 21, 2001 at 05:03:42PM -0000, email@example.com wrote:
> --- dag.c 2001/02/20 23:32:38 1.20
> +++ dag.c 2001/02/21 17:03:42 1.21
> +/* Helper for next three funcs */
> +static int
> +node_is_kind_p (dag_node_t *node, const char *kindstr)
> + /* No gratutitous syntax (or null-value) checks in here, because
> + we're assuming that lower layers have already scanned the content
> + skel for validity. */
> + /* The node "header" is the first element of a node-revision skel,
> + itself a list. */
> + skel_t *header = node->contents->children;
> + /* The first element of the header should be an atom defining the
> + node kind. */
> + skel_t *kind = header->children;
> + if (! memcmp (kind->data, kindstr, kind->len))
That is an illegal memcmp(). You can't be sure that kindstr is kind->len
bytes long. And you can't assume that memcmp will stop at the first byte
which differs. Thus, the above memcmp could end up "touching"
kindstr[kind->len-1]. If kindstr is 2 bytes, and kind->len is 2000, then you
could (theoretically) cause a seg fault.
The correct function in this case is strncmp(kind->data, kindstr, kind->len)
(in that particular argument order; see the man page).
However, even that is not sufficient. If kind=="f" and kindstr=="file", then
you'll end up comparing the first byte and saying they are equal.
This is all mucky because skel->data is not null-terminated (and I don't
think it should be; we'd end up having to copy (potentially) lots of data).
Therefore, you check is going to be:
apr_size_t kindstr_len = strlen(kindstr);
if (kind->len == kindstr_len
&& memcmp(kind->data, kindstr, kindstr_len) == 0)
That should do the trick.
Greg Stein, http://www.lyra.org/
Received on Sat Oct 21 14:36:23 2006