From ef0b353fee598ddb7c5ec4e1e7f5427bf3d4e155 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Stefan=20B=C3=BChler?= <stbuehler@web.de>
Date: Sun, 16 Feb 2014 13:08:27 +0000
Subject: [PATCH] [mod_cml_lua] fix null pointer dereference
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

  a local lua script could trigger it by not sending any files and not
  setting a last-modified header, leading to zero mtime and a buffer
  ptr = NULL which was used in http_response_handle_cachable

From: Stefan Bühler <stbuehler@web.de>

git-svn-id: svn://svn.lighttpd.net/lighttpd/branches/lighttpd-1.4.x@2951 152afb58-edef-0310-8abb-c4023f1b3aa9
---
 NEWS              |  1 +
 src/mod_cml_lua.c | 10 +++-------
 2 files changed, 4 insertions(+), 7 deletions(-)

diff --git a/NEWS b/NEWS
index 51fc93ab..e35b7d84 100644
--- a/NEWS
+++ b/NEWS
@@ -15,6 +15,7 @@ NEWS
   * [buffer] fix length check in buffer_is_equal_right_len
   * fix resource leaks in error cases on config parsing and other initializations
   * add force_assert() to enforce assertions as simple assert()s are disabled by -DNDEBUG (fixes #2546)
+  * [mod_cml_lua] fix null pointer dereference
 
 - 1.4.34
   * [mod_auth] explicitly link ssl for SHA1 (fixes #2517)
diff --git a/src/mod_cml_lua.c b/src/mod_cml_lua.c
index 92fa6e11..f77a7c71 100644
--- a/src/mod_cml_lua.c
+++ b/src/mod_cml_lua.c
@@ -398,26 +398,22 @@ int cache_parse_lua(server *srv, connection *con, plugin_data *p, buffer *fn) {
 			con->file_finished = 1;
 
 			ds = (data_string *)array_get_element(con->response.headers, "Last-Modified");
+			if (0 == mtime) mtime = time(NULL); /* default last-modified to now */
 
 			/* no Last-Modified specified */
-			if ((mtime) && (NULL == ds)) {
+			if (NULL == ds) {
 
 				strftime(timebuf, sizeof(timebuf), "%a, %d %b %Y %H:%M:%S GMT", gmtime(&mtime));
 
 				response_header_overwrite(srv, con, CONST_STR_LEN("Last-Modified"), timebuf, sizeof(timebuf) - 1);
 
-
 				tbuf.ptr = timebuf;
 				tbuf.used = sizeof(timebuf);
 				tbuf.size = sizeof(timebuf);
-			} else if (ds) {
+			} else {
 				tbuf.ptr = ds->value->ptr;
 				tbuf.used = ds->value->used;
 				tbuf.size = ds->value->size;
-			} else {
-				tbuf.size = 0;
-				tbuf.used = 0;
-				tbuf.ptr = NULL;
 			}
 
 			if (HANDLER_FINISHED == http_response_handle_cachable(srv, con, &tbuf)) {