Bail out if the buffer is too small to contain the length of a parameter value. Found while investigating a dead store pointed out by llvm scan-build.

author: florian 2014-12-05 20:01:39 +0000
committer: Wynn Wolf Arbor 2020-05-24 12:33:55 +0200
commit: 9fb6e15abb8df81fedafd3327f726eafd09c8f8f (patch)
tree: a89678d6d7e2121069235002a1ac0cffa0ba53f0 /slowcgi.c
parent: f0b64c903b83f5c9b19f89fb83149b825ace59c1 (diff)
download: slowcgi-9fb6e15abb8df81fedafd3327f726eafd09c8f8f.tar.gz
1 files changed, 4 insertions, 4 deletions
diff --git a/slowcgi.c b/slowcgi.c
index 3200855..df478c9 100644
--- a/slowcgi.c
+++ b/slowcgi.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: slowcgi.c,v 1.39 2014/12/05 19:59:55 florian Exp $ */
+/*	$OpenBSD: slowcgi.c,v 1.40 2014/12/05 20:01:39 florian Exp $ */
 /*
  * Copyright (c) 2013 David Gwynne <dlg@openbsd.org>
  * Copyright (c) 2013 Florian Obser <florian@openbsd.org>
@@ -682,8 +682,6 @@ parse_params(uint8_t *buf, uint16_t n, struct request *c, uint16_t id)
 		return;
 	}
 
-	name_len = val_len = 0;
-
 	/*
 	 * If this is the last FastCGI parameter record,
 	 * begin execution of the CGI script.
@@ -723,7 +721,9 @@ parse_params(uint8_t *buf, uint16_t n, struct request *c, uint16_t id)
 				} else
 					return;
 			}
-		}
+		} else
+			return;
+
 		if (n < name_len + val_len)
 			return;
author	florian	2014-12-05 20:01:39 +0000
committer	Wynn Wolf Arbor	2020-05-24 12:33:55 +0200
commit	9fb6e15abb8df81fedafd3327f726eafd09c8f8f (patch)
tree	a89678d6d7e2121069235002a1ac0cffa0ba53f0 /slowcgi.c
parent	f0b64c903b83f5c9b19f89fb83149b825ace59c1 (diff)
download	slowcgi-9fb6e15abb8df81fedafd3327f726eafd09c8f8f.tar.gz