Munge /r and /n in HTTP_HttpSendRequestA
Uwe Bonnes
bon at elektron.ikp.physik.tu-darmstadt.de
Mon Mar 15 05:03:02 CST 2004
>>>>> "Rolf" == Rolf Kalbermatter <rolf.kalbermatter at citeng.com> writes:
Rolf> Uwe Bonnes <bon at elektron.ikp.physik.tu-darmstadt.de> wrote:
>> This makes Xilinx webupdate.exe see the Servicepack
>>
>> + else + /* remove \r and \n*/ + { + int nLen =
>> strlen(lpwhr->lpszPath); + while ((lpwhr->lpszPath[nLen-1] ==
>> '\r')||(lpwhr->lpszPath[nLen-1] == '\n')) + { + nLen--; +
>> lpwhr->lpszPath[nLen]='\0'; + }
Rolf> Mmmh, what happens if the passed in path would only exist of \r\n?
Rolf> A for or while loop without a guaranteed termination condition
Rolf> always seems suspect to me. I guess this would crash with an
Rolf> access violation, and most probably overwrite a few bytes of
Rolf> memory with 0 before that happens. Not good I think although I
Rolf> think it couldn't be effectively exploited as buffer overrun!
Rolf> while (nLen > 0 && ((lpwhr->lpszPath[nLen-1] == '\r') ||
Rolf> (lpwhr->lpszPath[nLen-1] == '\n')))
Rolf> might be the better solution. Though I still wonder about the
Rolf> [nLen-1] in above term. It seems [nLen] instead would be actually
Rolf> the right thing to do here which would make it
Rolf> while (nLen >= 0 && ((lpwhr->lpszPath[nLen] == '\r') ||
Rolf> (lpwhr->lpszPath[nLen] == '\n')))
The test for nLen is a good idea. But
with nLen = strlen(lpwhr->lpszPath); lpwhr->lpszPath[nLen] should give the
terminating NULL to my understanding...
Or am I off by one?
Bye
Rolf> Rolf Kalbermatter
--
Uwe Bonnes bon at elektron.ikp.physik.tu-darmstadt.de
Institut fuer Kernphysik Schlossgartenstrasse 9 64289 Darmstadt
--------- Tel. 06151 162516 -------- Fax. 06151 164321 ----------
More information about the wine-devel
mailing list