(part 2) posible minour buggs in dick heathfields book

hay, Han frm china heer again...
ben readin sum more c unleashed book dick heathfields book...
still readin dick heathfields data structs cht but jumped ahead
to chad dixons cgi proggraming cht out of interest for
bit varietty... hard to focuss on length of data structs cht
vry drawn out longwindded imho...

small robusttness patch for pg. 400 DlExchange() function:

int DLExchange(DLLIST *ItemA, DLLIST *ItemB)
{
//...
- if(ItemA != NULL && ItemB != NULL)
- {
- if(ItemA->next == ItemB)
+ if(ItemA != NULL && ItemB != NULL)
+ {
+ if(ItemA == ItemB)
+ {
+ Result = DL_SAME_ITEM;
+ }
+ else if(ItemA->next == ItemB)

this stopp function wrking on same item, witch wuld
cause one-node loop & corruptt double lst...

now for cgi cht.. witch also still reading... hope
to read entire bk lerning lot much frm the c exprtts

cgi cht has section on seccurity for cgi but has
seccurity prob in its own ReadCGIData() funct...
also not in c unleashed erata...

plz, bear wit me hear, this about to get vry complexx

size_t Size = 0;
//...
ContentLength = getenv("CONTENT_LENGTH");
//...
Size = (size_t)atoi(ContentLength);
if(Size <= 0)
{
*Error = CGI_BAD_CONTENT_LENGTH;
}
//...
++Size;
Buffer = malloc(Size);
if(NULL == Buffer)
//...
if(NULL == fgets(Buffer, Size, stdin))

//... bang!

it is posible set Size to size_t max value (assume
size_t unsigned) with ContentLength of -1.
i.e., have look at my code...

size_t j;
j = (size_t)atoi("-1");
printf("%lu\n", (unsigned long)j);

many web server hapily acceppt -1 ContentLength

this max value then pass test
if(Size <= 0)

then ++Size make max value wrap to 0

then following code may not fail
Buffer = malloc(Size);
if(NULL == Buffer)

[H&S 16.1: "If the requested size is 0, then the Standard
C functions will return either a null pointer or a non-null
pointer that nevertheless must not be used to access an
object."]

what importtant is that malloc(0) may not return NULL...
on, fe., glibc malloc allocator based on doug lea malloc,
malloc(0) allocatte minimum chunk... this malloc allocator
store importtant bookkeepin info at end of chunk...

then,
fgets(Buffer, Size, stdin)

use max value Size to overrun malloc chunk up to next
newline, corrupttin memory, introducin deadly securrity
issue

i, Han, certtainly not ussin c unleashed cgi library
on my web server.......
starttin feel angry bout c unleashed book purrchase,
feelin as tho bought anotther Herb Schildt book....

Il mittente di questo messaggio|The sender address of this
non corrisponde ad un utente |message is not related to a real
reale ma all'indirizzo fittizio|person but to a fake address of an
di un sistema anonimizzatore |anonymous system
Per maggiori informazioni |For more info
https://www.mixmaster.it