You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@nuttx.apache.org by pk...@apache.org on 2022/06/07 12:09:20 UTC
[incubator-nuttx-apps] 03/05: webcilent: Fix a buffer overrun on a malformed status line
This is an automated email from the ASF dual-hosted git repository.
pkarashchenko pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/incubator-nuttx-apps.git
commit 0c4c81143442dc96129482f07d0cb2fe10cb0a84
Author: YAMAMOTO Takashi <ya...@midokura.com>
AuthorDate: Mon Jun 6 17:43:36 2022 +0900
webcilent: Fix a buffer overrun on a malformed status line
---
netutils/webclient/webclient.c | 22 ++++++++++++++++++++--
1 file changed, 20 insertions(+), 2 deletions(-)
diff --git a/netutils/webclient/webclient.c b/netutils/webclient/webclient.c
index f5599e9ca..8378cd135 100644
--- a/netutils/webclient/webclient.c
+++ b/netutils/webclient/webclient.c
@@ -489,6 +489,16 @@ static inline int wget_parsestatus(struct webclient_context *ctx,
return -E2BIG;
}
+ /* HTTP status line is something like:
+ *
+ * HTTP/1.1 200 OK
+ *
+ * https://datatracker.ietf.org/doc/html/rfc7230#section-3.1.2
+ *
+ * > status-line = HTTP-version SP status-code \
+ * > SP reason-phrase CRLF
+ */
+
ws->line[ndx] = '\0';
if ((strncmp(ws->line, g_http10, strlen(g_http10)) == 0) ||
(strncmp(ws->line, g_http11, strlen(g_http11)) == 0))
@@ -496,7 +506,15 @@ static inline int wget_parsestatus(struct webclient_context *ctx,
unsigned long http_status;
char *ep;
- dest = &(ws->line[9]);
+ DEBUGASSERT(strlen(g_http10) == 8);
+ DEBUGASSERT(strlen(g_http11) == 8);
+
+ if (ws->line[8] != ' ') /* SP before the status-code */
+ {
+ return -EINVAL;
+ }
+
+ dest = &(ws->line[9]); /* the status-code */
ws->httpstatus = HTTPSTATUS_NONE;
errno = 0;
@@ -506,7 +524,7 @@ static inline int wget_parsestatus(struct webclient_context *ctx,
return -EINVAL;
}
- if (*ep != ' ')
+ if (*ep != ' ') /* SP before reason-phrase */
{
return -EINVAL;
}