New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix buffer overflow in extract_status_code() #961

Merged
merged 1 commit into from Jul 24, 2018
Jump to file or symbol
Failed to load files and symbols.
+9 −14
Diff settings

Always

Just for now

Fix buffer overflow in extract_status_code()

Issue #960 identified that the buffer allocated for copying the
HTTP status code could overflow if the http response was corrupted.

This commit changes the way the status code is read, avoids copying
data, and also ensures that the status code is three digits long,
is non-negative and occurs on the first line of the response.

Signed-off-by: Quentin Armitage <quentin@armitage.org.uk>
  • Loading branch information...
pqarmitage committed Jul 24, 2018
commit f28015671a4b04785859d1b4b1327b367b6a10e9
Copy path View file
@@ -58,23 +58,18 @@ size_t extract_content_length(char *buffer, size_t size)
*/
int extract_status_code(char *buffer, size_t size)
{
char *buf_code;
char *begin;
char *end = buffer + size;
size_t inc = 0;
int code;
/* Allocate the room */
buf_code = (char *)MALLOC(10);
unsigned long code;
/* Status-Code extraction */
while (buffer < end && *buffer++ != ' ') ;
begin = buffer;
while (buffer < end && *buffer++ != ' ')
inc++;
strncat(buf_code, begin, inc);
code = atoi(buf_code);
FREE(buf_code);
while (buffer < end && *buffer != ' ' && *buffer != '\r')
buffer++;
buffer++;
if (buffer + 3 >= end || *buffer == ' ' || buffer[3] != ' ')
return 0;
code = strtoul(buffer, &end, 10);
if (buffer + 3 != end)
return 0;
return code;
}
ProTip! Use n and p to navigate between commits in a pull request.