From: <no...@so...> - 2008-10-13 16:04:44
|
Update of /cvsroot/ijbswa/current In directory 23jxhf1.ch3.sourceforge.com:/tmp/cvs-serv8447 Modified Files: jcc.c Log Message: Make sure we don't try to reuse tainted server sockets. Index: jcc.c =================================================================== RCS file: /cvsroot/ijbswa/current/jcc.c,v retrieving revision 1.194 retrieving revision 1.195 diff -u -d -r1.194 -r1.195 --- jcc.c 12 Oct 2008 18:35:18 -0000 1.194 +++ jcc.c 13 Oct 2008 16:04:37 -0000 1.195 @@ -33,6 +33,9 @@ * * Revisions : * $Log$ + * Revision 1.195 2008/10/13 16:04:37 fabiankeil + * Make sure we don't try to reuse tainted server sockets. + * * Revision 1.194 2008/10/12 18:35:18 fabiankeil * The last commit was a bit too ambitious, apparently the content * length adjustment is only necessary if we aren't buffering. @@ -2557,7 +2560,7 @@ if (n < 0) { log_error(LOG_LEVEL_ERROR, "select() failed!: %E"); - return; + break; } /* @@ -2576,7 +2579,7 @@ if (write_socket(csp->sfd, buf, (size_t)len)) { log_error(LOG_LEVEL_ERROR, "write to: %s failed: %E", http->host); - return; + break; } continue; } @@ -2617,7 +2620,7 @@ */ log_error(LOG_LEVEL_ERROR, "Already forwarded the original headers. " "Unable to tell the client about the problem."); - return; + break; } rsp = error_response(csp, "connect-failed", errno); @@ -2713,7 +2716,7 @@ log_error(LOG_LEVEL_ERROR, "write modified content to client failed: %E"); freez(hdr); freez(p); - return; + break; } freez(hdr); @@ -2770,8 +2773,7 @@ log_error(LOG_LEVEL_ERROR, "Out of memory while trying to flush."); rsp = cgi_error_memory(); send_crunch_response(csp, rsp); - - return; + break; } hdrlen = strlen(hdr); @@ -2782,7 +2784,7 @@ log_error(LOG_LEVEL_CONNECT, "Flush header and buffers to client failed: %E"); freez(hdr); - return; + break; } /* @@ -2801,7 +2803,7 @@ if (write_socket(csp->cfd, buf, (size_t)len)) { log_error(LOG_LEVEL_ERROR, "write to client failed: %E"); - return; + break; } } byte_count += (size_t)len; @@ -2820,8 +2822,7 @@ log_error(LOG_LEVEL_ERROR, "Out of memory while looking for end of server headers."); rsp = cgi_error_memory(); send_crunch_response(csp, rsp); - - return; + break; } header_start = csp->iob->cur; @@ -2857,7 +2858,7 @@ log_error(LOG_LEVEL_CLF, "%s - - [%T] \"%s\" 502 0", csp->ip_addr_str, http->cmd); write_socket(csp->cfd, NO_SERVER_DATA_RESPONSE, strlen(NO_SERVER_DATA_RESPONSE)); free_http_request(http); - return; + break; } assert(csp->headers->first->str); @@ -2881,7 +2882,7 @@ write_socket(csp->cfd, INVALID_SERVER_HEADERS_RESPONSE, strlen(INVALID_SERVER_HEADERS_RESPONSE)); free_http_request(http); - return; + break; } /* @@ -2908,7 +2909,7 @@ * and are done here after cleaning up. */ freez(hdr); - return; + break; } /* Buffer and pcrs filter this if appropriate. */ @@ -2937,7 +2938,7 @@ * to the client... it probably can't hear us anyway. */ freez(hdr); - return; + break; } byte_count += (size_t)len; @@ -2972,8 +2973,17 @@ } continue; } - - return; /* huh? we should never get here */ + /* + * If we reach this point, the server socket is tainted + * (most likely because we didn't read everything the + * server sent us) and reusing it would lead to garbage. + */ + if ((csp->flags & CSP_FLAG_SERVER_CONNECTION_KEEP_ALIVE)) + { + log_error(LOG_LEVEL_CONNECT, "Unsetting keep-alive flag."); + csp->flags &= ~CSP_FLAG_SERVER_CONNECTION_KEEP_ALIVE; + } + return; } if (csp->content_length == 0) |