Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix buffer overflow in extract_status_code() #961

Merged
merged 1 commit into from Jul 24, 2018
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
Fix buffer overflow in extract_status_code()
Issue #960 identified that the buffer allocated for copying the
HTTP status code could overflow if the http response was corrupted.

This commit changes the way the status code is read, avoids copying
data, and also ensures that the status code is three digits long,
is non-negative and occurs on the first line of the response.

Signed-off-by: Quentin Armitage <quentin@armitage.org.uk>
  • Loading branch information
pqarmitage committed Jul 24, 2018
commit f28015671a4b04785859d1b4b1327b367b6a10e9
23 changes: 9 additions & 14 deletions lib/html.c
Expand Up @@ -58,23 +58,18 @@ size_t extract_content_length(char *buffer, size_t size)
*/
int extract_status_code(char *buffer, size_t size)
{
char *buf_code;
char *begin;
char *end = buffer + size;
size_t inc = 0;
int code;

/* Allocate the room */
buf_code = (char *)MALLOC(10);
unsigned long code;

/* Status-Code extraction */
while (buffer < end && *buffer++ != ' ') ;
begin = buffer;
while (buffer < end && *buffer++ != ' ')
inc++;
strncat(buf_code, begin, inc);
code = atoi(buf_code);
FREE(buf_code);
while (buffer < end && *buffer != ' ' && *buffer != '\r')
buffer++;
buffer++;
if (buffer + 3 >= end || *buffer == ' ' || buffer[3] != ' ')
return 0;
code = strtoul(buffer, &end, 10);
if (buffer + 3 != end)
return 0;
return code;
}

Expand Down