Bug 514521 – xmlNanoHTTPMethodRedir in nanohttp.c:1270 receive a SIGSEGV if URL define a port != 80

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 514521 - xmlNanoHTTPMethodRedir in nanohttp.c:1270 receive a SIGSEGV if URL define a port != 80


Summary:	xmlNanoHTTPMethodRedir in nanohttp.c:1270 receive a SIGSEGV if URL define a p...


Status:	RESOLVED FIXED

Product:	libxml2
Classification:	Platform
Component:	general
Version:	2.6.31
Hardware:	Other All

Importance:	Normal critical
Target Milestone:	---
Assigned To:	Daniel Veillard
QA Contact:	libxml QA maintainers

URL:
Whiteboard:

Duplicates:	520384 (view as bug list)
Depends on:
Blocks:

Reported:	2008-02-05 12:57 UTC by Antonio Messina
Modified:	2008-03-05 08:19 UTC

See Also:
GNOME target:	---
GNOME version:	---

Description Antonio Messina 2008-02-05 12:57:03 UTC

Steps to reproduce:
1. use xmlNanoHTTPMethod with an URL like "http://localhost:1980"
   for example, use nd built against libxml2-2.6.31

I have found this bug using nd to connect to a webdav server listening on the 1980 port

Stack trace:
Building nd and libxml2 with debug symbols, without optimization and linking against efence:

Program received signal SIGSEGV, Segmentation fault.

+ Trace 188160

Thread 3082815152 (LWP 8415)

#0 vsnprintf
from /lib/libc.so.6
#1 snprintf
from /lib/libc.so.6
#2 xmlNanoHTTPMethodRedir__internal_alias
at nanohttp.c line 1388
#3 xmlNanoHTTPMethod__internal_alias
at nanohttp.c line 1519
#4 ndHTTPMethod
at nd.c line 383
#5 ndGetPrint
at nd.c line 1469
#6 main
at main.c line 385



Other information:
before     bp = (char*)xmlMallocAtomic(blen); at line nanohttp.c:1352, you need to check if ctxt->port != 80, and add to blen the number of digits of ctxt->port + 1

A dummy patch resolve the bug:

diff -burN libxml2-2.6.31/nanohttp.c libxml2-2.6.31.fixed/nanohttp.c
--- libxml2-2.6.31/nanohttp.c   2007-08-28 19:34:00.000000000 +0200
+++ libxml2-2.6.31.fixed/nanohttp.c     2008-02-05 12:50:12.000000000 +0100
@@ -1339,6 +1339,15 @@
 #ifdef HAVE_ZLIB_H
     blen += 23;
 #endif
+       if (ctxt->port != 80) {
+               int test=ctxt->port;
+               while (test > 0) {
+                       test = test/10;
+                       blen++;
+               }
+               blen++;
+       }
+
     bp = (char*)xmlMallocAtomic(blen);
     if ( bp == NULL ) {
         xmlNanoHTTPFreeCtxt( ctxt );

Comment 1 William M. Brack 2008-02-06 04:18:02 UTC

Instead of calculating the exact size required, I added some code to add an additional 6 bytes (':' plus max 5-digit port); also added a few comments about the string length calculation. Fixed code is in SVN - please try it out and close the bug if it's successful.  Thanks for the report.

Comment 2 Antonio Messina 2008-02-06 08:41:45 UTC

(In reply to comment #1)
> Instead of calculating the exact size required, I added some code to add an
> additional 6 bytes (':' plus max 5-digit port); also added a few comments about
> the string length calculation. Fixed code is in SVN - please try it out and
> close the bug if it's successful.  Thanks for the report.
> 

It works for me. Thank you very much.

.a.

Comment 3 William M. Brack 2008-03-05 08:19:33 UTC

*** Bug 520384 has been marked as a duplicate of this bug. ***