FIX: Sending a POST HTTP Request May Cause an Access Violation

ID: Q152365

The information in this article applies to:

The Microsoft Foundation Classes (MFC), included with:

    Microsoft Visual C++, 32-bit Edition, version 4.1

SYMPTOMS

When sending a POST HTTP request to an MFC ISAPI DLL, you may see an access violation occur in the debugger or get a message about a failed request from the Web browser.

CAUSE

There is a bug in CHttpServer::GetQuery() which is located in ISAPI.CPP in the MFC source code directory (MSDEV\MFC\SRC). On line 206 of ISAPI.CPP, you can see the following code:

   _tcscpy(lpszQuery, (LPCTSTR) pCtxt->m_pECB->lpbData);

The data pointed to by pCtxt->m_pECB->lpbData is not null-terminated. In fact, pCtxt->m_pECB->cbAvailable should be used to determine the number of bytes to copy.

RESOLUTION

To resolve this problem, change ISAPI.CPP and rebuild the MFC ISAPI Library.

First, modify ISAPI.CPP by changing the line on 206 from:

   _tcscpy(lpszQuery, (LPCTSTR) pCtxt->m_pECB->lpbData);

to:

   memcpy(lpszQuery, (LPCTSTR) pCtxt->m_pECB->lpbData, pCtxt->m_pECB-
   >cbAvailable);
   lpszQuery[pCtxt->m_pECB->cbAvailable] = '\0';

The new function will look like this:

      LPTSTR CHttpServer::GetQuery(CHttpServerContext* pCtxt,
            LPTSTR lpszQuery, DWORD cbQuery)
         {
            DWORD cbRemaining;

            // 
            // If the request is a GET, then the lpszQueryString member of
            // the ECB contains the query string.
            // 
            // If the request is a POST, then you have to get all of the
            // data,both from the lpbData member, and then read the rest of
            // the data via the ReadClient() call.
            // 
            if (cbQuery < pCtxt->m_pECB->cbTotalBytes)
               return NULL;

            memcpy(lpszQuery,
                               (LPCTSTR) pCtxt->m_pECB->lpbData,
                                pCtxt->m_pECB->cbAvailable);
            lpszQuery[pCtxt->m_pECB->cbAvailable] = '\0';

            if ((cbRemaining = pCtxt->m_pECB->cbTotalBytes
                                           - pCtxt->m_pECB->cbAvailable) >
      0)
                  {
              pCtxt->ReadClient((LPVOID) (lpszQuery
                                           + pCtxt->m_pECB->cbAvailable),
                                  &cbRemaining);
                  }
            return lpszQuery;
         }

You can rebuild the MFC ISAPI library by using the MFCISAPI.MAK file in the \MSDEV\MFC\SRC directory. If the ISAPI DLL is built with MFC statically linked (using NAFXIS(D).LIB), you can build the MFC ISAPI library by going to the \MFC\SRC directory and typing:

   NMAKE /f MFCISAPI.MAK DEBUG=1

Specifying DEBUG=1 will build the debug version of the library. Do not use "DEBUG=1" if you want to build a release build of the library.

If you are building your ISAPI DLL linking to the MFC DLL (using EAFXIS(D).LIB), you can build the MFC ISAPI library by going to the \MFC\SRC directory and typing:

   NMAKE /f MFCISAPI.MAK DEBUG=1 DLL=2

For more information about other options you can specify on the NMAKE Command line, see the README.TXT file in the MSDEV\MFC\SRC directory or look at the MFCISAPI.MAK file.

STATUS

Microsoft has confirmed this to be a bug in the Microsoft products listed at the beginning of this article. This bug was corrected in Visual C++ 32- bit Edition version 4.2.

Additional query words: ISAPI POST Internet Extension DLL

Keywords          : kbcode kbISAPI kbMFC kbVC kbVC410bug kbVC420fix iisapi kbbuglist kbfixlist
Version           : 4.1
Platform          : NT WINDOWS
Issue type        : kbbug
Solution Type     : kbfix

Last Reviewed: November 15, 1998