Added some buffer overrun protection, fixed handling of misformed URI with spaces.

author: Evgeny Grin (Karlson2k) <k2k@narod.ru> 2016-02-04 11:44:04 +0000
committer: Evgeny Grin (Karlson2k) <k2k@narod.ru> 2016-02-04 11:44:04 +0000
commit: 101e71a8cf90c3b12c66f5a40436509ea1bc4184 (patch)
tree: b57513b85bf0437c9b5e07683b2644b234a47f14
parent: b2a05d373cfec12f26bd71de7a1d63741b8b5e15 (diff)
download: libmicrohttpd-101e71a8cf90c3b12c66f5a40436509ea1bc4184.tar.gz
libmicrohttpd-101e71a8cf90c3b12c66f5a40436509ea1bc4184.zip
2 files changed, 53 insertions, 19 deletions
diff --git a/ChangeLog b/ChangeLog
index d0daf4b1..57f84066 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,7 @@
+Thu Feb  4 11:38:11 CET 2016
+        Added some buffer overrun protection.
+        Fixed handling of misformed URI with spaces. -EG
 Wed Feb  3 15:41:57 CET 2016
        Make signal-pipe non-blocking and drain it. -CG
diff --git a/src/microhttpd/connection.c b/src/microhttpd/connection.c
index e3f92567..0a9f9885 100644
--- a/src/microhttpd/connection.c
+++ b/src/microhttpd/connection.c
@@ -1328,10 +1328,13 @@ MHD_connection_update_event_loop_info (struct MHD_Connection *connection)
 * return NULL.  Otherwise return a pointer to the line.
 *
 * @param connection connection we're processing
+ * @param[out] line_len pointer to variable that receive
+ *                      length of line or NULL
 * @return NULL if no full line is available
 */
 static char *
-get_next_header_line (struct MHD_Connection *connection)
+get_next_header_line (struct MHD_Connection *connection,
+                      size_t *line_len)
 {
  char *rbuf;
  size_t pos;
@@ -1357,8 +1360,13 @@ get_next_header_line (struct MHD_Connection *connection)
                                   : MHD_HTTP_REQUEST_URI_TOO_LONG,
                                   REQUEST_TOO_BIG);
        }
+      if (line_len)
+        *line_len = 0;
      return NULL;
    }
+  if (line_len)
+    *line_len = pos;
  /* found, check if we have proper LFCR */
  if (('\r' == rbuf[pos]) && ('\n' == rbuf[pos + 1]))
    rbuf[pos++] = '\0';         /* skip both r and n */
@@ -1512,11 +1520,13 @@ parse_cookie_header (struct MHD_Connection *connection)
 *
 * @param connection the connection (updated)
 * @param line the first line
+ * @param line_len length of the first line
 * @return #MHD_YES if the line is ok, #MHD_NO if it is malformed
 */
 static int
 parse_initial_message_line (struct MHD_Connection *connection,
-                            char *line)
+                            char *line,
+                            size_t line_len)
 {
  struct MHD_Daemon *daemon = connection->daemon;
  char *uri;
@@ -1524,25 +1534,48 @@ parse_initial_message_line (struct MHD_Connection *connection,
  char *args;
  unsigned int unused_num_headers;
-  if (NULL == (uri = strchr (line, ' ')))
+  if (NULL == (uri = memchr (line, ' ', line_len)))
    return MHD_NO;              /* serious error */
  uri[0] = '\0';
  connection->method = line;
  uri++;
-  while (' ' == uri[0])
+  /* Skip any spaces. Not required by standard but allow
+     to be more tolerant. */
+  while (' ' == uri[0] && (size_t)(uri - line) < line_len)
    uri++;
-  http_version = strchr (uri, ' ');
+  if (uri - line == line_len)
-  if (NULL != http_version)
    {
-      http_version[0] = '\0';
+      uri = "";
-      http_version++;
+      connection->version = "";
+      args = NULL;
+    }
+  else
+    {
+      /* Search from back to accept misformed URI with space */
+      http_version = line + line_len - 1;
+      /* Skip any trailing spaces */
+      while (' ' == http_version[0] && http_version > uri)
+        http_version--;
+      /* Find first space in reverse direction */
+      while (' ' != http_version[0] && http_version > uri)
+        http_version--;
+      if (http_version > uri)
+        {
+          http_version[0] = '\0';
+          connection->version = http_version + 1;
+          args = memchr(uri, '?', http_version - uri);
+        }
+      else
+        {
+          connection->version = "";
+          args = memchr(uri, '?', line_len - (uri - line));
+        }
    }
  if (NULL != daemon->uri_log_callback)
    connection->client_context
      = daemon->uri_log_callback (daemon->uri_log_callback_cls,
                                  uri,
                                  connection);
-  args = strchr (uri, '?');
  if (NULL != args)
    {
      args[0] = '\0';
@@ -1558,10 +1591,6 @@ parse_initial_message_line (struct MHD_Connection *connection,
                             connection,
                             uri);
  connection->url = uri;
-  if (NULL == http_version)
-    connection->version = "";
-  else
-    connection->version = http_version;
  return MHD_YES;
 }
@@ -2416,6 +2445,7 @@ MHD_connection_handle_idle (struct MHD_Connection *connection)
  unsigned int timeout;
  const char *end;
  char *line;
+  size_t line_len;
  int client_close;
  connection->in_idle = MHD_YES;
@@ -2430,7 +2460,7 @@ MHD_connection_handle_idle (struct MHD_Connection *connection)
      switch (connection->state)
        {
        case MHD_CONNECTION_INIT:
-          line = get_next_header_line (connection);
+          line = get_next_header_line (connection, &line_len);
          /* Check for empty string, as we might want
             to tolerate 'spurious' empty lines; also
             NULL means we didn't get a full line yet. */
@@ -2447,13 +2477,13 @@ MHD_connection_handle_idle (struct MHD_Connection *connection)
                }
              break;
            }
-          if (MHD_NO == parse_initial_message_line (connection, line))
+          if (MHD_NO == parse_initial_message_line (connection, line, line_len))
            CONNECTION_CLOSE_ERROR (connection, NULL);
          else
            connection->state = MHD_CONNECTION_URL_RECEIVED;
          continue;
        case MHD_CONNECTION_URL_RECEIVED:
-          line = get_next_header_line (connection);
+          line = get_next_header_line (connection, NULL);
          if (NULL == line)
            {
              if (MHD_CONNECTION_URL_RECEIVED != connection->state)
@@ -2481,7 +2511,7 @@ MHD_connection_handle_idle (struct MHD_Connection *connection)
          connection->state = MHD_CONNECTION_HEADER_PART_RECEIVED;
          continue;
        case MHD_CONNECTION_HEADER_PART_RECEIVED:
-          line = get_next_header_line (connection);
+          line = get_next_header_line (connection, NULL);
          if (NULL == line)
            {
              if (connection->state != MHD_CONNECTION_HEADER_PART_RECEIVED)
@@ -2571,7 +2601,7 @@ MHD_connection_handle_idle (struct MHD_Connection *connection)
            }
          break;
        case MHD_CONNECTION_BODY_RECEIVED:
-          line = get_next_header_line (connection);
+          line = get_next_header_line (connection, NULL);
          if (NULL == line)
            {
              if (connection->state != MHD_CONNECTION_BODY_RECEIVED)
@@ -2599,7 +2629,7 @@ MHD_connection_handle_idle (struct MHD_Connection *connection)
          connection->state = MHD_CONNECTION_FOOTER_PART_RECEIVED;
          continue;
        case MHD_CONNECTION_FOOTER_PART_RECEIVED:
-          line = get_next_header_line (connection);
+          line = get_next_header_line (connection, NULL);
          if (NULL == line)
            {
              if (connection->state != MHD_CONNECTION_FOOTER_PART_RECEIVED)
author	Evgeny Grin (Karlson2k) <k2k@narod.ru>	2016-02-04 11:44:04 +0000
committer	Evgeny Grin (Karlson2k) <k2k@narod.ru>	2016-02-04 11:44:04 +0000
commit	101e71a8cf90c3b12c66f5a40436509ea1bc4184 (patch)
tree	b57513b85bf0437c9b5e07683b2644b234a47f14
parent	b2a05d373cfec12f26bd71de7a1d63741b8b5e15 (diff)
download	libmicrohttpd-101e71a8cf90c3b12c66f5a40436509ea1bc4184.tar.gz libmicrohttpd-101e71a8cf90c3b12c66f5a40436509ea1bc4184.zip