httpd: addEnv() brainstorming
Dirk Clemens
develop at cle-mens.de
Mon Sep 5 16:46:37 UTC 2005
Vladimir N. Oleynik wrote:
> Dirk,
>
>> Here is an other recommendation for addEnv()
>>
>> static void addEnv(const char *name_before_underline,
>> const char *name_after_underline, const char *value)
>> {
>> char buf[50]; // this is enough space for all names used in httpd
>
>
> Hmm. Its very small, example for *_URI or *_PATH.
The buffer is large enough to handle the complete name
of the environment variable. The 'value' doesn't go into
the buffer.
>
>> if ( snprintf(buf,sizeof(buf), "%s%s%s=%s",
>> name_before_underline,
>> *name_after_underline ? "_" : "",
>> name_after_underline ) >= 0
>
>
> Its bad idea: libc depended.
> snprintf return > 0 if buf have small size, then this value is required
> size.
I know, but I'm sure that the buffer large enough.
And so I used snprintf() only for security if anyone
extends the code and set a VERY_____LONG______VAR.
The code don't crash but the variable name is been cutted.
Dirk
More information about the busybox
mailing list