From: Henry Ford <henryfordkjv@gmail.com>
Subject: httpd check localtime_r
To: tech@openbsd.org
Date: Mon, 24 Jun 2024 12:55:31 -0400

httpd uses localtime_r(3) on the modification time of a file.
It is possible that this modification time could be unrepresentable
by a struct tm, in which case localtime_r will fail, leaving tm
uninitialized.
This diff checks for that condition and errors out appropriately.

diff /usr/src
commit - a96be6992871e57ed676b51a9a1512da3ab5f68c
path + /usr/src
blob - cdcc11cd800eb4a5b4c896f4912752a5ee87387e
file + usr.sbin/httpd/server_file.c
--- usr.sbin/httpd/server_file.c
+++ usr.sbin/httpd/server_file.c
@@ -558,7 +558,11 @@ server_file_index(struct httpd *env, struct client *cl
 		}
 
 		t = subst.st_mtime;
-		localtime_r(&t, &tm);
+		if (localtime_r(&t, &tm) == NULL) {
+			skip = 1;
+			free(dp);
+			continue;
+		}
 		strftime(tmstr, sizeof(tmstr), "%d-%h-%Y %R", &tm);
 
 		if ((escapeduri = url_encode(dp->d_name)) == NULL) {