../../../../libs/xmlrpc-c/src/xmlrpc_server

Bug Summary

File:	src/mod/xml_int/mod_xml_rpc/../../../../libs/xmlrpc-c/src/xmlrpc_server_cgi.c
Location:	line 257, column 9
Description:	Potential leak of memory pointed to by 'err'

Annotated Source Code

** Redistribution and use in source and binary forms, with or without

** modification, are permitted provided that the following conditions

** are met:

** 1. Redistributions of source code must retain the above copyright

** notice, this list of conditions and the following disclaimer.

** 2. Redistributions in binary form must reproduce the above copyright

** notice, this list of conditions and the following disclaimer in the

** documentation and/or other materials provided with the distribution.

** 3. The name of the author may not be used to endorse or promote products

** derived from this software without specific prior written permission.

** THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND

** ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

** IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE

** ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE

** FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL

** DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS

** OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

** HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT

** LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY

** OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF

** SUCH DAMAGE. */

#include "xmlrpc_config.h"

#include <stdlib.h>

#include <stdio.h>

#include <string.h>

/* Windows NT stdout binary mode fix. */

#ifdef _WIN32

#include <io.h>

#include <fcntl.h>

#endif

#include "xmlrpc-c/base.h"

#include "xmlrpc-c/server.h"

#include "xmlrpc-c/string_int.h"

#include "xmlrpc-c/server_cgi.h"

/*=========================================================================

** Output Routines

**=========================================================================

** These routines send various kinds of responses to the server.

static void

send_xml(const char * const xml_data,

size_t const xml_len) {

#ifdef _WIN32

_setmode(_fileno(stdoutstdout), _O_BINARY);

#endif

/* Send our CGI headers back to the server.

** XXX - Coercing 'size_t' to 'unsigned long' might be unsafe under

** really weird circumstances. */

fprintf(stdoutstdout, "Status: 200 OK\n");

/* Handle authentication cookie being sent back. */

if (getenv("HTTP_COOKIE_AUTH") != NULL((void*)0))

fprintf(stdoutstdout, "Set-Cookie: auth=%s\n", getenv("HTTP_COOKIE_AUTH"));

fprintf(stdoutstdout, "Content-type: text/xml; charset=\"utf-8\"\n");

fprintf(stdoutstdout, "Content-length: %ld\n\n", (unsigned long) xml_len);

/* Blast out our data. */

fwrite(xml_data, sizeof(char), xml_len, stdoutstdout);

}

static void

send_error(int const code,

const char * const message,

xmlrpc_env * const env) {

#ifdef _WIN32

_setmode(_fileno(stdoutstdout), _O_BINARY);

#endif

/* Send an error header. */

fprintf(stdoutstdout, "Status: %d %s\n", code, message);

fprintf(stdoutstdout, "Content-type: text/html\n\n");

/* Send an error message. */

fprintf(stdoutstdout, "<title>%d %s</title>\n", code, message);

fprintf(stdoutstdout, "<h1>%d %s</h1>\n", code, message);

fprintf(stdoutstdout, "<p>An error occurred processing your request.</p>\n");

/* Print out the XML-RPC fault, if present. */

if (env && env->fault_occurred)

fprintf(stdoutstdout, "<p>XML-RPC Fault #%d: %s</p>\n",

env->fault_code, env->fault_string);

}

/*=========================================================================

** die_if_fault_occurred

**=========================================================================

100

** Certain kinds of errors aren't worth the trouble of generating

101

** an XML-RPC fault. For these, we just send status 500 to our web server

102

** and log the fault to our server log.

103

104

105

static void

106

die_if_fault_occurred(xmlrpc_env * const env) {

107

if (env->fault_occurred) {

108

fprintf(stderrstderr, "Unexpected XML-RPC fault: %s (%d)\n",

109

env->fault_string, env->fault_code);

110

send_error(500, "Internal Server Error", env);

111

exit(1);

112

}

113

}

114

115

116

/*=========================================================================

117

** Initialization, Cleanup & Method Registry

118

**=========================================================================

119

** These are all related, so we group them together.

120

121

122

static xmlrpc_registry * globalRegistryP;

123

124

/*=========================================================================

125

** get_body

126

**=========================================================================

127

** Slurp the body of the request into an xmlrpc_mem_block.

128

129

130

static xmlrpc_mem_block *

131

get_body(xmlrpc_env * const env,

132

size_t const length) {

133

134

xmlrpc_mem_block *result;

135

char *contents;

136

size_t count;

137

138

XMLRPC_ASSERT_ENV_OK(env)do if (!((env) != ((void*)0) && (env->fault_string
== ((void*)0)) && !(env)->fault_occurred)) xmlrpc_assertion_failed
("../../../../libs/xmlrpc-c/src/xmlrpc_server_cgi.c", 138); while
(0);

139

140

/* Error-handling preconditions. */

141

result = NULL((void*)0);

142

143

#ifdef _WIN32

144

/* Fix from Jeff Stewart: NT opens stdin and stdout in text mode

145

by default, badly confusing our length calculations. So we need

146

to set the file handle to binary.

147

148

_setmode(_fileno(stdinstdin), _O_BINARY);

149

#endif

150

/* XXX - Puke if length is too big. */

151

152

/* Allocate our memory block. */

153

result = xmlrpc_mem_block_new(env, length);

154

XMLRPC_FAIL_IF_FAULT(env)do { if ((env)->fault_occurred) goto cleanup; } while (0);

155

contents = XMLRPC_TYPED_MEM_BLOCK_CONTENTS(char, result)((char*) xmlrpc_mem_block_contents(result));

156

157

/* Get our data off the network.

158

** XXX - Coercing 'size_t' to 'unsigned long' might be unsafe under

159

** really weird circumstances. */

160

count = fread(contents, sizeof(char), length, stdinstdin);

161

if (count < length)

162

XMLRPC_FAIL2(env, XMLRPC_INTERNAL_ERROR,do { xmlrpc_env_set_fault_formatted((env),((-500)),("Expected %ld bytes, received %ld"
),((unsigned long) length),((unsigned long) count)); goto cleanup
; } while (0)

163

"Expected %ld bytes, received %ld",do { xmlrpc_env_set_fault_formatted((env),((-500)),("Expected %ld bytes, received %ld"
),((unsigned long) length),((unsigned long) count)); goto cleanup
; } while (0)

164

(unsigned long) length, (unsigned long) count)do { xmlrpc_env_set_fault_formatted((env),((-500)),("Expected %ld bytes, received %ld"
),((unsigned long) length),((unsigned long) count)); goto cleanup
; } while (0);

165

166

cleanup:

167

if (env->fault_occurred) {

168

if (result)

169

xmlrpc_mem_block_free(result);

170

return NULL((void*)0);

171

}

172

return result;

173

}

174

175

176

177

void

178

xmlrpc_server_cgi_process_call(xmlrpc_registry * const registryP) {

179

/*----------------------------------------------------------------------------

180

Get the XML-RPC call from Standard Input and environment variables,

181

parse it, find the right method, call it, prepare an XML-RPC

182

response with the result, and write it to Standard Output.

183

-----------------------------------------------------------------------------*/

184

xmlrpc_env env;

185

char *method, *type, *length_str;

186

int length;

187

xmlrpc_mem_block *input, *output;

188

char *input_data, *output_data;

189

size_t input_size, output_size;

190

int code;

191

char *message;

192

193

/* Error-handling preconditions. */

194

xmlrpc_env_init(&env);

195

input = output = NULL((void*)0);

196

197

/* Set up a default error message. */

198

code = 500; message = "Internal Server Error";

199

200

/* Get our HTTP information from the environment. */

201

method = getenv("REQUEST_METHOD");

202

type = getenv("CONTENT_TYPE");

203

length_str = getenv("CONTENT_LENGTH");

204

205

/* Perform some sanity checks. */

206

if (!method || !xmlrpc_streq(method, "POST")) {

←

Assuming 'method' is non-null

→

←

Taking false branch

→

207

code = 405; message = "Method Not Allowed";

208

XMLRPC_FAIL(&env, XMLRPC_INTERNAL_ERROR, "Expected HTTP method POST")do { xmlrpc_env_set_fault((&env),((-500)),("Expected HTTP method POST"
)); goto cleanup; } while (0);

209

}

210

if (!type || !xmlrpc_strneq(type, "text/xml", strlen("text/xml"))) {

←

Assuming 'type' is non-null

→

←

Taking true branch

→

211

char *template = "Expected content type: \"text/xml\", received: \"%s\"";

212

size_t err_len = strlen(template) + strlen(type) + 1;

213

char *err = malloc(err_len);

←

Memory is allocated

→

214

215

(void)snprintf(err, err_len, template, type);

216

code = 400; message = "Bad Request";

217

XMLRPC_FAIL(&env, XMLRPC_INTERNAL_ERROR, err)do { xmlrpc_env_set_fault((&env),((-500)),(err)); goto cleanup
; } while (0);

218

free(err);

219

}

220

if (!length_str) {

221

code = 411; message = "Length Required";

222

XMLRPC_FAIL(&env, XMLRPC_INTERNAL_ERROR, "Content-length required")do { xmlrpc_env_set_fault((&env),((-500)),("Content-length required"
)); goto cleanup; } while (0);

223

}

224

225

/* Get our content length. */

226

length = atoi(length_str);

227

if (length <= 0) {

228

code = 400; message = "Bad Request";

229

XMLRPC_FAIL(&env, XMLRPC_INTERNAL_ERROR, "Content-length must be > 0")do { xmlrpc_env_set_fault((&env),((-500)),("Content-length must be > 0"
)); goto cleanup; } while (0);

230

}

231

232

/* SECURITY: Make sure our content length is legal.

233

** XXX - We can cast 'input_len' because we know it's >= 0, yes? */

234

if ((size_t) length > xmlrpc_limit_get(XMLRPC_XML_SIZE_LIMIT_ID(1))) {

235

code = 400; message = "Bad Request";

236

XMLRPC_FAIL(&env, XMLRPC_LIMIT_EXCEEDED_ERROR,do { xmlrpc_env_set_fault((&env),((-509)),("XML-RPC request too large"
)); goto cleanup; } while (0)

237

"XML-RPC request too large")do { xmlrpc_env_set_fault((&env),((-509)),("XML-RPC request too large"
)); goto cleanup; } while (0);

238

}

239

240

/* Get our body. */

241

input = get_body(&env, length);

242

XMLRPC_FAIL_IF_FAULT(&env)do { if ((&env)->fault_occurred) goto cleanup; } while
(0);

243

input_data = XMLRPC_TYPED_MEM_BLOCK_CONTENTS(char, input)((char*) xmlrpc_mem_block_contents(input));

244

input_size = XMLRPC_TYPED_MEM_BLOCK_SIZE(char, input)(xmlrpc_mem_block_size(input) / sizeof(char));

245

246

/* Process our call. */

247

xmlrpc_registry_process_call2(&env, registryP,

248

input_data, input_size, NULL((void*)0), &output);

249

XMLRPC_FAIL_IF_FAULT(&env)do { if ((&env)->fault_occurred) goto cleanup; } while
(0);

250

output_data = XMLRPC_TYPED_MEM_BLOCK_CONTENTS(char, output)((char*) xmlrpc_mem_block_contents(output));

251

output_size = XMLRPC_TYPED_MEM_BLOCK_SIZE(char, output)(xmlrpc_mem_block_size(output) / sizeof(char));

252

253

/* Send our data. */

254

send_xml(output_data, output_size);

255

256

cleanup:

257

if (input)

←

Potential leak of memory pointed to by 'err'

258

xmlrpc_mem_block_free(input);

259

if (output)

260

xmlrpc_mem_block_free(output);

261

262

if (env.fault_occurred)

263

send_error(code, message, &env);

264

265

xmlrpc_env_clean(&env);

266

}

267

268

269

270

void

271

xmlrpc_cgi_init(int const flags ATTR_UNUSED__attribute__((__unused__))) {

272

xmlrpc_env env;

273

274

xmlrpc_env_init(&env);

275

globalRegistryP = xmlrpc_registry_new(&env);

276

die_if_fault_occurred(&env);

277

xmlrpc_env_clean(&env);

278

}

279

280

281

282

void

283

xmlrpc_cgi_cleanup(void) {

284

xmlrpc_registry_free(globalRegistryP);

285

}

286

287

288

289

xmlrpc_registry *

290

xmlrpc_cgi_registry(void) {

291

return globalRegistryP;

292

}

293

294

295

296

void

297

xmlrpc_cgi_add_method(const char * const method_name,

298

xmlrpc_method const method,

299

void * const user_data) {

300

xmlrpc_env env;

301

xmlrpc_env_init(&env);

302

xmlrpc_registry_add_method(&env, globalRegistryP, NULL((void*)0), method_name,

303

method, user_data);

304

die_if_fault_occurred(&env);

305

xmlrpc_env_clean(&env);

306

}

307

308

309

310

void

311

xmlrpc_cgi_add_method_w_doc(const char * const method_name,

312

xmlrpc_method const method,

313

void * const user_data,

314

const char * const signature,

315

const char * const help) {

316

xmlrpc_env env;

317

xmlrpc_env_init(&env);

318

xmlrpc_registry_add_method_w_doc(&env, globalRegistryP, NULL((void*)0), method_name,

319

method, user_data, signature, help);

320

die_if_fault_occurred(&env);

321

xmlrpc_env_clean(&env);

322

}

323

324

325

326

void

327

xmlrpc_cgi_process_call(void) {

328

329

xmlrpc_server_cgi_process_call(globalRegistryP);

Calling 'xmlrpc_server_cgi_process_call'

→

330

}