[En-Nut-Discussion] HTTP password protection - better solution
Peter Sodermanns
peter.sodermanns at aixcon.de
Wed Aug 30 16:43:46 CEST 2006
Edwin van den Oetelaar schrieb:
>> auth = (NutHttpAuthLookup(dirname, oldlogin));
>> if (auth) {
>> strcpy((char *) auth->auth_login, newlogin);
>
>
> This is NOT OK! The size of your newlogin may be bigger then your
> oldlogin so this may overwrite unallocated memory!!
>
>
> Whoops ! Where is the Allocating of memory done ? You copy a pointer
> without the contents, This will not work as expected !
>
In Ethernut 4.1.9 the definition of variables and allocation of memory
has to be done outside of these functions. See httpd-server example,
it's the only program using authentication I found.
NutRegisterAuth() just deals with pointers saved in the AUTHINFO list
and allocates memory only for those pointers.
So my function which takes the input of name and password, allocates
memory and puts these addresses via NutRegisterAuth() into the list. And
this function is also responsible for not to accept names longer as the
size or to allocate sufficient memory.
Therefore freeing the list works, but allocating is not the task of the
functions in auth.c - as far as I understand the mechanism.
Kind regards
Peter
More information about the En-Nut-Discussion
mailing list