diff options
author | Denys Vlasenko | 2015-10-23 11:49:04 +0200 |
---|---|---|
committer | Denys Vlasenko | 2015-10-23 11:49:04 +0200 |
commit | 59f8475924760a5d74e18a88f325493e7c38c537 (patch) | |
tree | 2fc1b6c280bde40c9dae7415207286e7a64095a7 | |
parent | d3d6534b2a86bdd651aa39dfabe620fe2208459f (diff) | |
download | busybox-59f8475924760a5d74e18a88f325493e7c38c537.zip busybox-59f8475924760a5d74e18a88f325493e7c38c537.tar.gz |
httpd: fix heap buffer overflow. Closes 8426
function old new delta
send_headers 654 677 +23
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
-rw-r--r-- | networking/httpd.c | 25 |
1 files changed, 19 insertions, 6 deletions
diff --git a/networking/httpd.c b/networking/httpd.c index 00169c3..ed15fd8 100644 --- a/networking/httpd.c +++ b/networking/httpd.c @@ -967,19 +967,30 @@ static void send_headers(int responseNum) } #endif if (responseNum == HTTP_MOVED_TEMPORARILY) { - len += sprintf(iobuf + len, "Location: %s/%s%s\r\n", + /* Responding to "GET /dir" with + * "HTTP/1.0 302 Found" "Location: /dir/" + * - IOW, asking them to repeat with a slash. + * Here, overflow IS possible, can't use sprintf: + * mkdir test + * python -c 'print("get /test?" + ("x" * 8192))' | busybox httpd -i -h . + */ + len += snprintf(iobuf + len, IOBUF_SIZE-3 - len, + "Location: %s/%s%s\r\n", found_moved_temporarily, (g_query ? "?" : ""), (g_query ? g_query : "")); + if (len > IOBUF_SIZE-3) + len = IOBUF_SIZE-3; } #if ENABLE_FEATURE_HTTPD_ERROR_PAGES if (error_page && access(error_page, R_OK) == 0) { - strcat(iobuf, "\r\n"); - len += 2; - - if (DEBUG) + iobuf[len++] = '\r'; + iobuf[len++] = '\n'; + if (DEBUG) { + iobuf[len] = '\0'; fprintf(stderr, "headers: '%s'\n", iobuf); + } full_write(STDOUT_FILENO, iobuf, len); if (DEBUG) fprintf(stderr, "writing error page: '%s'\n", error_page); @@ -1021,8 +1032,10 @@ static void send_headers(int responseNum) responseNum, responseString, responseNum, responseString, infoString); } - if (DEBUG) + if (DEBUG) { + iobuf[len] = '\0'; fprintf(stderr, "headers: '%s'\n", iobuf); + } if (full_write(STDOUT_FILENO, iobuf, len) != len) { if (verbose > 1) bb_perror_msg("error"); |