diff options
Diffstat (limited to 'src')
-rw-r--r-- | src/daemon/connection.c | 14 | ||||
-rw-r--r-- | src/daemon/digestauth.c | 7 | ||||
-rw-r--r-- | src/daemon/internal.c | 11 |
3 files changed, 21 insertions, 11 deletions
diff --git a/src/daemon/connection.c b/src/daemon/connection.c index 1bc8001c..33571ea9 100644 --- a/src/daemon/connection.c +++ b/src/daemon/connection.c | |||
@@ -26,6 +26,7 @@ | |||
26 | */ | 26 | */ |
27 | 27 | ||
28 | #include "internal.h" | 28 | #include "internal.h" |
29 | #include <limits.h> | ||
29 | #include "connection.h" | 30 | #include "connection.h" |
30 | #include "memorypool.h" | 31 | #include "memorypool.h" |
31 | #include "response.h" | 32 | #include "response.h" |
@@ -1252,6 +1253,7 @@ process_request_body (struct MHD_Connection *connection) | |||
1252 | int instant_retry; | 1253 | int instant_retry; |
1253 | int malformed; | 1254 | int malformed; |
1254 | char *buffer_head; | 1255 | char *buffer_head; |
1256 | char *end; | ||
1255 | 1257 | ||
1256 | if (connection->response != NULL) | 1258 | if (connection->response != NULL) |
1257 | return; /* already queued a response */ | 1259 | return; /* already queued a response */ |
@@ -1326,11 +1328,8 @@ process_request_body (struct MHD_Connection *connection) | |||
1326 | if (!malformed) | 1328 | if (!malformed) |
1327 | { | 1329 | { |
1328 | buffer_head[i] = '\0'; | 1330 | buffer_head[i] = '\0'; |
1329 | malformed = | 1331 | connection->current_chunk_size = strtoul (buffer_head, &end, 16); |
1330 | (1 != SSCANF (buffer_head, "%X", | 1332 | malformed = ('\0' != *end); |
1331 | &connection->current_chunk_size)) && | ||
1332 | (1 != SSCANF (buffer_head, "%x", | ||
1333 | &connection->current_chunk_size)); | ||
1334 | } | 1333 | } |
1335 | if (malformed) | 1334 | if (malformed) |
1336 | { | 1335 | { |
@@ -1655,6 +1654,7 @@ parse_connection_headers (struct MHD_Connection *connection) | |||
1655 | unsigned MHD_LONG_LONG cval; | 1654 | unsigned MHD_LONG_LONG cval; |
1656 | struct MHD_Response *response; | 1655 | struct MHD_Response *response; |
1657 | const char *enc; | 1656 | const char *enc; |
1657 | char *end; | ||
1658 | 1658 | ||
1659 | parse_cookie_header (connection); | 1659 | parse_cookie_header (connection); |
1660 | if ((0 != (MHD_USE_PEDANTIC_CHECKS & connection->daemon->options)) | 1660 | if ((0 != (MHD_USE_PEDANTIC_CHECKS & connection->daemon->options)) |
@@ -1687,7 +1687,9 @@ parse_connection_headers (struct MHD_Connection *connection) | |||
1687 | MHD_HTTP_HEADER_CONTENT_LENGTH); | 1687 | MHD_HTTP_HEADER_CONTENT_LENGTH); |
1688 | if (clen != NULL) | 1688 | if (clen != NULL) |
1689 | { | 1689 | { |
1690 | if (1 != SSCANF (clen, "%" MHD_LONG_LONG_PRINTF "u", &cval)) | 1690 | cval = strtoul (clen, &end, 10); |
1691 | if ( ('\0' != *end) || | ||
1692 | ( (LONG_MAX == cval) && (errno == ERANGE) ) ) | ||
1691 | { | 1693 | { |
1692 | #if HAVE_MESSAGES | 1694 | #if HAVE_MESSAGES |
1693 | MHD_DLOG (connection->daemon, | 1695 | MHD_DLOG (connection->daemon, |
diff --git a/src/daemon/digestauth.c b/src/daemon/digestauth.c index 927974e0..00612e35 100644 --- a/src/daemon/digestauth.c +++ b/src/daemon/digestauth.c | |||
@@ -25,6 +25,7 @@ | |||
25 | */ | 25 | */ |
26 | 26 | ||
27 | #include "platform.h" | 27 | #include "platform.h" |
28 | #include <limits.h> | ||
28 | #include "internal.h" | 29 | #include "internal.h" |
29 | #include "md5.h" | 30 | #include "md5.h" |
30 | #include "base64.h" | 31 | #include "base64.h" |
@@ -447,6 +448,7 @@ MHD_digest_auth_check(struct MHD_Connection *connection, | |||
447 | { | 448 | { |
448 | size_t len; | 449 | size_t len; |
449 | const char *header; | 450 | const char *header; |
451 | char *end; | ||
450 | char nonce[MAX_NONCE_LENGTH]; | 452 | char nonce[MAX_NONCE_LENGTH]; |
451 | char cnonce[MAX_NONCE_LENGTH]; | 453 | char cnonce[MAX_NONCE_LENGTH]; |
452 | char qop[15]; /* auth,auth-int */ | 454 | char qop[15]; /* auth,auth-int */ |
@@ -544,9 +546,12 @@ MHD_digest_auth_check(struct MHD_Connection *connection, | |||
544 | ( (0 != strcmp (qop, "auth")) && | 546 | ( (0 != strcmp (qop, "auth")) && |
545 | (0 != strcmp (qop, "")) ) || | 547 | (0 != strcmp (qop, "")) ) || |
546 | (0 == lookup_sub_value(nc, sizeof (nc), header, "nc")) || | 548 | (0 == lookup_sub_value(nc, sizeof (nc), header, "nc")) || |
547 | (1 != sscanf (nc, "%u", &nci)) || | ||
548 | (0 == lookup_sub_value(response, sizeof (response), header, "response")) ) | 549 | (0 == lookup_sub_value(response, sizeof (response), header, "response")) ) |
549 | return MHD_NO; | 550 | return MHD_NO; |
551 | nci = strtoul (nc, &end, 10); | ||
552 | if ( ('\0' != *end) || | ||
553 | ( (LONG_MAX == nci) && (errno == ERANGE) ) ) | ||
554 | return MHD_NO; /* invalid nonce */ | ||
550 | 555 | ||
551 | /* | 556 | /* |
552 | * Checking if that combination of nonce and nc is sound | 557 | * Checking if that combination of nonce and nc is sound |
diff --git a/src/daemon/internal.c b/src/daemon/internal.c index 16b39df0..3b0a5441 100644 --- a/src/daemon/internal.c +++ b/src/daemon/internal.c | |||
@@ -121,7 +121,9 @@ MHD_http_unescape (void *cls, | |||
121 | { | 121 | { |
122 | char *rpos = val; | 122 | char *rpos = val; |
123 | char *wpos = val; | 123 | char *wpos = val; |
124 | char *end; | ||
124 | unsigned int num; | 125 | unsigned int num; |
126 | char buf3[3]; | ||
125 | 127 | ||
126 | while ('\0' != *rpos) | 128 | while ('\0' != *rpos) |
127 | { | 129 | { |
@@ -133,10 +135,11 @@ MHD_http_unescape (void *cls, | |||
133 | rpos++; | 135 | rpos++; |
134 | break; | 136 | break; |
135 | case '%': | 137 | case '%': |
136 | if ( (1 == SSCANF (&rpos[1], | 138 | buf3[0] = rpos[1]; |
137 | "%2x", &num)) || | 139 | buf3[1] = rpos[2]; |
138 | (1 == SSCANF (&rpos[1], | 140 | buf3[2] = '\0'; |
139 | "%2X", &num)) ) | 141 | num = strtoul (buf3, &end, 16); |
142 | if ('\0' == *end) | ||
140 | { | 143 | { |
141 | *wpos = (unsigned char) num; | 144 | *wpos = (unsigned char) num; |
142 | wpos++; | 145 | wpos++; |