From 1e298ddfca45386ee95e866abf439ed7f022b562 Mon Sep 17 00:00:00 2001 From: Joe Orton Date: Fri, 14 Feb 2025 16:08:23 +0000 Subject: [PATCH] mod_dav: Fix error handling for dav_fs_dir_file_name(): dav_fs_dir_file_name() will not set *fname_p to NULL on failure, and all callers of dav_fs_dir_file_name() does not check the return value of dav_fs_dir_file_name(), which could lead to an undefined behavior against fname_p. Fix this by adding return value check of dav_fs_dir_file_name() Submitted by: Zhou Qingyang Github: closes #309 git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1923813 13f79535-47bb-0310-9956-ffa450edef68 --- modules/dav/fs/repos.c | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/modules/dav/fs/repos.c b/modules/dav/fs/repos.c index 23d798177c1..45412f18ecc 100644 --- a/modules/dav/fs/repos.c +++ b/modules/dav/fs/repos.c @@ -595,8 +595,13 @@ static dav_error *dav_fs_copymoveset(int is_move, apr_pool_t *p, /* Get directory and filename for resources */ /* ### should test these result values... */ - (void) dav_fs_dir_file_name(src, &src_dir, &src_file); - (void) dav_fs_dir_file_name(dst, &dst_dir, &dst_file); + err = dav_fs_dir_file_name(src, &src_dir, &src_file); + if (err != NULL) + return err; + + err = dav_fs_dir_file_name(dst, &dst_dir, &dst_file); + if (err != NULL) + return err; /* Get the corresponding state files for each resource */ dav_dbm_get_statefiles(p, src_file, &src_state1, &src_state2); @@ -644,11 +649,14 @@ static dav_error *dav_fs_deleteset(apr_pool_t *p, const dav_resource *resource) const char *state1; const char *state2; const char *pathname; + dav_error *err; apr_status_t status; /* Get directory, filename, and state-file names for the resource */ /* ### should test this result value... */ - (void) dav_fs_dir_file_name(resource, &dirpath, &fname); + err = dav_fs_dir_file_name(resource, &dirpath, &fname); + if (err != NULL) + return err; dav_dbm_get_statefiles(p, fname, &state1, &state2); /* build the propset pathname for the file */