[FASTCGI] bug in os_win32.c

Jay Sprenkle jsprenkle at gmail.com
Fri Aug 29 08:47:18 EDT 2008


I've found a  bug in the fastcgi source:

The original code from os_win32.c:

      if (*bindPath != ':')
      {
          char * p = strchr(bindPath, ':');
          int len = p - bindPath + 1;

          host = malloc(len);
          strncpy(host, bindPath, len);
          host[len] = '\0';
      }

If this code is executed the last line that null terminates the
allocated buffer writes past the
end of the allocated space. It probably ought to be this:

      if (*bindPath != ':')
      {
          char * p = strchr(bindPath, ':');
          int len = p - bindPath;

          host = malloc(len + 1);
          strncpy(host, bindPath, len);
          host[len] = '\0';
      }

more to come... Jay


More information about the FastCGI-developers mailing list