Fix possible NULL pointer dereference casued by apreq_param_make()

The function apreq_param_make() will return NULL on failure. However
NULL check are forgetten before derenference, which could lead to
NULL pointer dereference.

Adding NULL check to all use of apreq_param_make().

Submitted by: Zhou Qingyang <zhou1615@umn.edu>

Github: closes #303

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1908981 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/server/apreq_module_cgi.c b/server/apreq_module_cgi.c
index eaf4e99ef432a99871f7e7176734d58fdc48d6aa..d67371b4dfb9b7a965eae0e0380ba7969a88166f 100644 (file)
--- a/server/apreq_module_cgi.c
+++ b/server/apreq_module_cgi.c
@@ -562,6 +562,8 @@ static apr_status_t cgi_args(apreq_handle_t *handle,
             if (val == NULL)
                 val = "";
             p = apreq_param_make(handle->pool, name, strlen(name), val, strlen(val));
+            if (p == NULL)
+                return APR_ENOMEM;
             apreq_param_tainted_on(p);
             apreq_value_table_add(&p->v, req->args);
             val = p->v.data;
@@ -642,6 +644,8 @@ static apreq_param_t *cgi_args_get(apreq_handle_t *handle,
             if (val == NULL)
                 return NULL;
             p = apreq_param_make(handle->pool, name, strlen(name), val, strlen(val));
+            if (p == NULL)
+                return NULL;
             apreq_param_tainted_on(p);
             apreq_value_table_add(&p->v, req->args);
             val = p->v.data;
@@ -678,6 +682,8 @@ static apr_status_t cgi_body(apreq_handle_t *handle,
             if (val == NULL)
                 val = "";
             p = apreq_param_make(handle->pool, name, strlen(name), val, strlen(val));
+            if (p == NULL)
+                return APR_ENOMEM;
             apreq_param_tainted_on(p);
             apreq_value_table_add(&p->v, req->body);
             val = p->v.data;
@@ -720,6 +726,8 @@ static apreq_param_t *cgi_body_get(apreq_handle_t *handle,
             if (val == NULL)
                 return NULL;
             p = apreq_param_make(handle->pool, name, strlen(name), val, strlen(val));
+            if (p == NULL)
+                return NULL;
             apreq_param_tainted_on(p);
             apreq_value_table_add(&p->v, req->body);
             val = p->v.data;

diff --git a/server/apreq_parser.c b/server/apreq_parser.c
index 700cc43face662444abaf64ada2f7bdf11bbfe22..f41888730377aecbd8b1d2c44121dc03c1eb70c2 100644 (file)
--- a/server/apreq_parser.c
+++ b/server/apreq_parser.c
@@ -228,6 +228,8 @@ APREQ_DECLARE_PARSER(apreq_parse_generic)
         ctx->status = GEN_INCOMPLETE;
         ctx->param = apreq_param_make(pool,
                                       "_dummy_", strlen("_dummy_"), "", 0);
+        if (ctx->param == NULL)
+            return APR_ENOMEM;
         ctx->param->upload = apr_brigade_create(pool, parser->bucket_alloc);
         ctx->param->info = apr_table_make(pool, APREQ_DEFAULT_NELTS);
     }

diff --git a/server/apreq_parser_header.c b/server/apreq_parser_header.c
index 6f72f563fd9c501bda1ab59eb040c5463465a3cb..e3c789eb12966caf3701764bcd4279c35402f531 100644 (file)
--- a/server/apreq_parser_header.c
+++ b/server/apreq_parser_header.c
@@ -84,6 +84,8 @@ static apr_status_t consume_header_line(apreq_param_t **p,
     int i, eol = 0;
 
     param = apreq_param_make(pool, NULL, nlen, NULL, vlen);
+    if (param == NULL)
+        return APR_ENOMEM;
     *(const apreq_value_t **)&v = &param->v;
 
     arr.pool     = pool;

diff --git a/server/apreq_parser_multipart.c b/server/apreq_parser_multipart.c
index f280d2afc9c603554ab4b2646620c5a9a063b9ea..2bea98efbd6e12d8b502e42652ba97144426380f 100644 (file)
--- a/server/apreq_parser_multipart.c
+++ b/server/apreq_parser_multipart.c
@@ -472,6 +472,8 @@ APREQ_DECLARE_PARSER(apreq_parse_multipart)
 
                     param = apreq_param_make(pool, name, nlen,
                                              filename, flen);
+                    if (param == NULL)
+                        return APR_ENOMEM;
                     apreq_param_tainted_on(param);
                     param->info = ctx->info;
                     param->upload
@@ -505,6 +507,8 @@ APREQ_DECLARE_PARSER(apreq_parse_multipart)
                 nlen = strlen(name);
                 param = apreq_param_make(pool, name, nlen,
                                          filename, flen);
+                if (param == NULL)
+                    return APR_ENOMEM;
                 apreq_param_tainted_on(param);
                 param->info = ctx->info;
                 param->upload = apr_brigade_create(pool,
@@ -532,6 +536,8 @@ APREQ_DECLARE_PARSER(apreq_parse_multipart)
                 flen = 0;
                 param = apreq_param_make(pool, name, nlen,
                                          filename, flen);
+                if (param == NULL)
+                    return APR_ENOMEM;
                 apreq_param_tainted_on(param);
                 param->info = ctx->info;
                 param->upload = apr_brigade_create(pool,
@@ -569,6 +575,8 @@ APREQ_DECLARE_PARSER(apreq_parse_multipart)
                 param = apreq_param_make(pool, ctx->param_name,
                                          strlen(ctx->param_name),
                                          NULL, len);
+                if (param == NULL)
+                    return APR_ENOMEM;
                 apreq_param_tainted_on(param);
                 param->info = ctx->info;
 

diff --git a/server/apreq_parser_urlencoded.c b/server/apreq_parser_urlencoded.c
index e90d0dd3827aa0de872495de1f153c293d8bc656..fd8945596c8f57d805e93e92461857a8d4320326 100644 (file)
--- a/server/apreq_parser_urlencoded.c
+++ b/server/apreq_parser_urlencoded.c
@@ -64,6 +64,8 @@ static apr_status_t split_urlword(apreq_param_t **p, apr_pool_t *pool,
         return APR_EBADARG;
 
     param = apreq_param_make(pool, NULL, nlen, NULL, vlen);
+    if (param == NULL)
+        return APR_ENOMEM;
     *(const apreq_value_t **)&v = &param->v;
 
     arr.pool     = pool;