summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDenys Vlasenko2015-10-23 11:49:04 +0200
committerDenys Vlasenko2015-10-23 11:49:04 +0200
commit59f8475924760a5d74e18a88f325493e7c38c537 (patch)
tree2fc1b6c280bde40c9dae7415207286e7a64095a7
parentd3d6534b2a86bdd651aa39dfabe620fe2208459f (diff)
downloadbusybox-59f8475924760a5d74e18a88f325493e7c38c537.zip
busybox-59f8475924760a5d74e18a88f325493e7c38c537.tar.gz
httpd: fix heap buffer overflow. Closes 8426
function old new delta send_headers 654 677 +23 Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
-rw-r--r--networking/httpd.c25
1 files changed, 19 insertions, 6 deletions
diff --git a/networking/httpd.c b/networking/httpd.c
index 00169c3..ed15fd8 100644
--- a/networking/httpd.c
+++ b/networking/httpd.c
@@ -967,19 +967,30 @@ static void send_headers(int responseNum)
}
#endif
if (responseNum == HTTP_MOVED_TEMPORARILY) {
- len += sprintf(iobuf + len, "Location: %s/%s%s\r\n",
+ /* Responding to "GET /dir" with
+ * "HTTP/1.0 302 Found" "Location: /dir/"
+ * - IOW, asking them to repeat with a slash.
+ * Here, overflow IS possible, can't use sprintf:
+ * mkdir test
+ * python -c 'print("get /test?" + ("x" * 8192))' | busybox httpd -i -h .
+ */
+ len += snprintf(iobuf + len, IOBUF_SIZE-3 - len,
+ "Location: %s/%s%s\r\n",
found_moved_temporarily,
(g_query ? "?" : ""),
(g_query ? g_query : ""));
+ if (len > IOBUF_SIZE-3)
+ len = IOBUF_SIZE-3;
}
#if ENABLE_FEATURE_HTTPD_ERROR_PAGES
if (error_page && access(error_page, R_OK) == 0) {
- strcat(iobuf, "\r\n");
- len += 2;
-
- if (DEBUG)
+ iobuf[len++] = '\r';
+ iobuf[len++] = '\n';
+ if (DEBUG) {
+ iobuf[len] = '\0';
fprintf(stderr, "headers: '%s'\n", iobuf);
+ }
full_write(STDOUT_FILENO, iobuf, len);
if (DEBUG)
fprintf(stderr, "writing error page: '%s'\n", error_page);
@@ -1021,8 +1032,10 @@ static void send_headers(int responseNum)
responseNum, responseString,
responseNum, responseString, infoString);
}
- if (DEBUG)
+ if (DEBUG) {
+ iobuf[len] = '\0';
fprintf(stderr, "headers: '%s'\n", iobuf);
+ }
if (full_write(STDOUT_FILENO, iobuf, len) != len) {
if (verbose > 1)
bb_perror_msg("error");