From: Florian Obser Subject: Re: httpd check localtime_r To: tech@openbsd.org Date: Mon, 24 Jun 2024 20:52:24 +0200 I was considering making it print 19-Jan-2038 or something like that but that's effort, I think skipping is fine. OK florian if someone wants to commit this. Btw. I did check the other calls to this family of functions and they seem to be correct in httpd. On 2024-06-24 12:55 -04, Henry Ford wrote: > httpd uses localtime_r(3) on the modification time of a file. > It is possible that this modification time could be unrepresentable > by a struct tm, in which case localtime_r will fail, leaving tm > uninitialized. > This diff checks for that condition and errors out appropriately. > > diff /usr/src > commit - a96be6992871e57ed676b51a9a1512da3ab5f68c > path + /usr/src > blob - cdcc11cd800eb4a5b4c896f4912752a5ee87387e > file + usr.sbin/httpd/server_file.c > --- usr.sbin/httpd/server_file.c > +++ usr.sbin/httpd/server_file.c > @@ -558,7 +558,11 @@ server_file_index(struct httpd *env, struct client *cl > } > > t = subst.st_mtime; > - localtime_r(&t, &tm); > + if (localtime_r(&t, &tm) == NULL) { > + skip = 1; > + free(dp); > + continue; > + } > strftime(tmstr, sizeof(tmstr), "%d-%h-%Y %R", &tm); > > if ((escapeduri = url_encode(dp->d_name)) == NULL) { > -- In my defence, I have been left unsupervised.