From 70d2e07043fb09b10ce19959d6f391e56aa4d22b Mon Sep 17 00:00:00 2001
From: Nicolas Favre-Felix <n.favrefelix@gmail.com>
Date: Wed, 26 Jan 2011 21:14:24 +0100
Subject: [PATCH] Fix memory access on empty commands.

---
 acl.c            | 11 +++++++++--
 client.c         |  1 +
 client.h         |  1 +
 cmd.c            |  4 +++-
 cmd.h            |  2 --
 formats/common.c |  4 ++--
 6 files changed, 16 insertions(+), 7 deletions(-)

diff --git a/acl.c b/acl.c
index 4703fa5..7fd0a55 100644
--- a/acl.c
+++ b/acl.c
@@ -43,8 +43,15 @@ acl_allow_command(struct cmd *cmd, struct conf *cfg, struct http_client *client)
 
 	in_addr_t client_addr;
 
-	const char *cmd_name = cmd->argv[0];
-	size_t cmd_len = cmd->argv_len[0];
+	const char *cmd_name;
+	size_t cmd_len;
+
+	if(cmd->count == 0) {
+		return 0;
+	}
+
+	cmd_name = cmd->argv[0];
+	cmd_len = cmd->argv_len[0];
 
 	/* some commands are always disabled, regardless of the config file. */
 	for(i = 0; i < sizeof(always_off) / sizeof(always_off[0]); ++i) {
diff --git a/client.c b/client.c
index 13ac3af..aaf5d39 100644
--- a/client.c
+++ b/client.c
@@ -122,6 +122,7 @@ http_client_cleanup(struct http_client *c) {
 	c->cmd = NULL;
 
 	c->state = CLIENT_WAITING;
+	c->started_responding = 0;
 }
 
 void
diff --git a/client.h b/client.h
index 29c66ea..b991097 100644
--- a/client.h
+++ b/client.h
@@ -54,6 +54,7 @@ struct http_client {
 
 	/* pub/sub */
 	struct subscription *sub;
+	int started_responding;
 
 	struct http_response resp;
 
diff --git a/cmd.c b/cmd.c
index 77f585e..f2b99c1 100644
--- a/cmd.c
+++ b/cmd.c
@@ -95,6 +95,9 @@ cmd_run(struct server *s, struct http_client *client,
 	if(body && body_len) { /* PUT request */
 		param_count++;
 	}
+	if(param_count == 0) {
+		return -1;
+	}
 
 	client->cmd = cmd = cmd_new(param_count);
 
@@ -113,7 +116,6 @@ cmd_run(struct server *s, struct http_client *client,
 	cmd->argv[0] = uri;
 	cmd->argv_len[0] = cmd_len;
 
-
 	/* check that the client is able to run this command */
 	if(!acl_allow_command(cmd, s->cfg, client)) {
 		return -1;
diff --git a/cmd.h b/cmd.h
index 052216f..eb4c47c 100644
--- a/cmd.h
+++ b/cmd.h
@@ -19,8 +19,6 @@ struct cmd {
 	const char **argv;
 	size_t *argv_len;
 
-	int started_responding;
-
 	/* HTTP data */
 	char *mime;
 	int mime_free;
diff --git a/formats/common.c b/formats/common.c
index e057e1f..64062bd 100644
--- a/formats/common.c
+++ b/formats/common.c
@@ -40,9 +40,9 @@ format_send_reply(struct http_client *client, const char *p, size_t sz, const ch
 		free_cmd = 0;
 
 		/* start streaming */
-		if(cmd->started_responding == 0) {
+		if(client->started_responding == 0) {
 			const char *ct = cmd->mime?cmd->mime:content_type;
-			cmd->started_responding = 1;
+			client->started_responding = 1;
 			http_set_header(&client->output_headers.content_type, ct, strlen(ct));
 			http_send_reply_start(client, 200, "OK");
 		}