You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@nuttx.apache.org by ac...@apache.org on 2021/05/16 14:32:57 UTC
[incubator-nuttx-apps] 04/04: webclient: Fix buffer overrun in
wget_parsestatus
This is an automated email from the ASF dual-hosted git repository.
acassis pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/incubator-nuttx-apps.git
commit 95c90076683d0f8e68cd53cc9f62acc40f4477a6
Author: YAMAMOTO Takashi <ya...@midokura.com>
AuthorDate: Fri May 14 11:24:58 2021 +0900
webclient: Fix buffer overrun in wget_parsestatus
Similarly to the fix in wget_parseheaders.
But simply always bail out as i guess it's very rare to see
that long status line.
Tested with an aritifically small CONFIG_WEBCLIENT_MAXHTTPLINE=20,
which is smaller than "HTTP/1.1 301 Moved Permanently".
---
netutils/webclient/webclient.c | 13 ++++++++++++-
1 file changed, 12 insertions(+), 1 deletion(-)
diff --git a/netutils/webclient/webclient.c b/netutils/webclient/webclient.c
index 7f84ccc..72f5585 100644
--- a/netutils/webclient/webclient.c
+++ b/netutils/webclient/webclient.c
@@ -376,9 +376,20 @@ static inline int wget_parsestatus(struct webclient_context *ctx,
while (offset < ws->datend)
{
+ bool got_nl;
+
ws->line[ndx] = ws->buffer[offset];
- if (ws->line[ndx] == ISO_NL)
+ got_nl = ws->line[ndx] == ISO_NL;
+ if (got_nl || ndx == CONFIG_WEBCLIENT_MAXHTTPLINE - 1)
{
+ if (!got_nl)
+ {
+ nerr("ERROR: HTTP status line didn't fit "
+ "CONFIG_WEBCLIENT_MAXHTTPLINE: %.*s\n",
+ ndx, ws->line);
+ return -E2BIG;
+ }
+
ws->line[ndx] = '\0';
if ((strncmp(ws->line, g_http10, strlen(g_http10)) == 0) ||
(strncmp(ws->line, g_http11, strlen(g_http11)) == 0))