[FASTCGI] bug in os_win32.c
Jay Sprenkle
jsprenkle at gmail.com
Fri Aug 29 08:47:18 EDT 2008
I've found a bug in the fastcgi source:
The original code from os_win32.c:
if (*bindPath != ':')
{
char * p = strchr(bindPath, ':');
int len = p - bindPath + 1;
host = malloc(len);
strncpy(host, bindPath, len);
host[len] = '\0';
}
If this code is executed the last line that null terminates the
allocated buffer writes past the
end of the allocated space. It probably ought to be this:
if (*bindPath != ':')
{
char * p = strchr(bindPath, ':');
int len = p - bindPath;
host = malloc(len + 1);
strncpy(host, bindPath, len);
host[len] = '\0';
}
more to come... Jay
More information about the FastCGI-developers
mailing list