From: Jeff Trawick <trawick@apache.org>
Date: Fri, 13 Oct 2000 17:54:24 +0000 (+0000)
Subject: getline() fixes...
X-Git-Tag: APACHE_2_0_ALPHA_8~374
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=ee1ba0a23fabf87e7e2e7e60f90651cb032c7157;p=apache

getline() fixes...

If ap_get_brigade() returns APR_SUCCESS but an empty brigade, bail out.
Previously, we kept going and sometimes segfaulted while operating on
what we thought was the first bucket.

Free the temporary brigade used by getline().


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@86581 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/modules/http/http_protocol.c b/modules/http/http_protocol.c
index 02dbfa4e43..5f4318393d 100644
--- a/modules/http/http_protocol.c
+++ b/modules/http/http_protocol.c
@@ -960,7 +960,9 @@ static int getline(char *s, int n, conn_rec *c, int fold)
 
     while (1) {
         if (AP_BRIGADE_EMPTY(b)) {
-            if (ap_get_brigade(c->input_filters, b, AP_GET_LINE) != APR_SUCCESS) {
+            if (ap_get_brigade(c->input_filters, b, AP_GET_LINE) != APR_SUCCESS ||
+                AP_BRIGADE_EMPTY(b)) {
+                ap_brigade_destroy(b);
                 return -1;
             }
         }
@@ -986,6 +988,7 @@ static int getline(char *s, int n, conn_rec *c, int fold)
             /* input line was larger than the caller's buffer */
             AP_BUCKET_REMOVE(e);
             ap_bucket_destroy(e);
+            ap_brigade_destroy(b);
             return -1;
         }
         
@@ -1033,6 +1036,7 @@ static int getline(char *s, int n, conn_rec *c, int fold)
             pos++;              /* bump past end of incomplete line      */
         }
     }
+    ap_brigade_destroy(b);
     return total;
 }