Skip to content

fix: resolve open bugs #7, #8, #9, #11#60

Merged
mgrossmann merged 4 commits intomainfrom
fix/open-bugs-7-8-9-11
Apr 11, 2026
Merged

fix: resolve open bugs #7, #8, #9, #11#60
mgrossmann merged 4 commits intomainfrom
fix/open-bugs-7-8-9-11

Conversation

@mgrossmann
Copy link
Copy Markdown
Contributor

@mgrossmann mgrossmann commented Apr 11, 2026

Summary

Four open bugs fixed in separate commits:

  1. Missing return value in parse_cookies() #8 — Missing return in parse_cookies() (httpshen.c)
    Added return 0; — was undefined behavior

  2. Integer overflow in environment variable allocation #7 — Integer overflow in env allocation (httpnenv.c)
    Use size_t instead of int, add +2 for null terminators, reject combined lengths > 8192

  3. Minor fixes: strtok in SSI, version string bounds, NULL check #11 — strtok thread safety + minor fixes (5 files)
    Replace all strtok() with manual pointer-based tokenizers in httpshen.c, httpdbug.c, httpjes2.c, httpfile.c. Use snprintf in httppars.c

  4. Race condition in client array management #9 — Race condition in client array (httpd.c)
    Add lock()/unlock() around array_add(&httpd->httpc) to match the existing locking in httpclos.c

Test plan

  • Build on MVS (make build && make link)
  • Cookie parsing still works (httpshen.c)
  • Debug query variable works (?debug=cgi,vars)
  • JES2 spool browser multi-DSID and multi-jobid work
  • SSI includes work (httpfile.c)
  • Server stable under concurrent load (race condition fix)

Fixes #7, Fixes #8, Fixes #9, Fixes #11

@mgrossmann
fix: add missing return value in parse_cookies()
982ab01 
parse_cookies() is declared as returning int but had no return
statement after free(buf), causing undefined behavior.

Fixes #8
@mgrossmann
fix: prevent integer overflow in environment variable allocation
2916bb9 
Use size_t instead of int for string length calculations in
httpnenv() to prevent integer overflow on long name+value pairs.
Add +2 for the two null terminators that were missing from the
allocation size. Reject combined lengths over 8192 bytes as a
sanity limit.

Fixes #7
@mgrossmann
fix: replace strtok with reentrant parsing, use snprintf
4f5abea 
strtok() uses internal static state that is not thread-safe.
Replace all strtok() calls with manual pointer-based tokenizers:
- httpshen.c: cookie parser
- httpdbug.c: debug options parser
- httpjes2.c: DSID and jobid list parsers
- httpfile.c: SSI directive and quoted value parsers

Also replace sprintf with snprintf for version string in
httppars.c to prevent potential buffer overflow.

Fixes #11
@mgrossmann
fix: protect client array add with lock for thread safety
fcd9300 
array_add(&httpd->httpc) in socket_thread was not synchronized
with array_del in httpclos (which already uses lock/unlock).
With keep-alive, connections live longer and concurrent access
to the client array is more likely. Add matching lock/unlock
around array_add.

Fixes #9
@mgrossmann mgrossmann force-pushed the fix/open-bugs-7-8-9-11 branch from e33aed2 to fcd9300 Compare April 11, 2026 18:38
@mgrossmann mgrossmann merged commit d7b9961 into main Apr 11, 2026
1 check failed
@mgrossmann mgrossmann deleted the fix/open-bugs-7-8-9-11 branch April 11, 2026 18:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

1 participant

@mgrossmann