From 90d8c8cb498fd7aacd19682d2979186e76805808 Mon Sep 17 00:00:00 2001
From: Adam Chlipala <adamc@hcoop.net>
Date: Tue, 12 May 2009 20:15:11 -0400
Subject: Stop potential buffer overrun of path_copy

---
 src/c/driver.c | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

(limited to 'src/c/driver.c')

diff --git a/src/c/driver.c b/src/c/driver.c
index 2f84184f..af3e73a3 100644
--- a/src/c/driver.c
+++ b/src/c/driver.c
@@ -150,6 +150,8 @@ static void *worker(void *data) {
   uw_context ctx = new_context();
   size_t buf_size = 2;
   char *buf = malloc(buf_size);
+  size_t path_copy_size = 0;
+  char *path_copy = malloc(path_copy_size);
 
   while (1) {
     char *back = buf, *s, *post;
@@ -197,7 +199,7 @@ static void *worker(void *data) {
         int is_post = 0, do_normal_send = 1;
         char *boundary = NULL;
         size_t boundary_len;
-        char *cmd, *path, *headers, path_copy[uw_bufsize+1], *inputs, *after_headers;
+        char *cmd, *path, *headers, *inputs, *after_headers;
 
         //printf("All: %s\n", buf);
 
@@ -435,8 +437,14 @@ static void *worker(void *data) {
         printf("Serving URI %s....\n", path);
 
         while (1) {
+          size_t path_len = strlen(path);
+
           uw_write_header(ctx, "HTTP/1.1 200 OK\r\n");
 
+          if (path_len + 1 > path_copy_size) {
+            path_copy_size = path_len + 1;
+            path_copy = realloc(path_copy, path_copy_size);
+          }
           strcpy(path_copy, path);
           fk = uw_begin(ctx, path_copy);
           if (fk == SUCCESS || fk == RETURN_BLOB) {
-- 
cgit v1.2.3