diff options
| author | Denys Vlasenko <vda.linux@googlemail.com> | 2017-01-26 19:35:40 +0100 |
|---|---|---|
| committer | Denys Vlasenko <vda.linux@googlemail.com> | 2017-01-26 19:35:40 +0100 |
| commit | b4b12bf2344148976d1cd0f17bca0c0fbf7a364c (patch) | |
| tree | a04afb20458db1c5138928e5dc0ad832a6de00de | |
| parent | 4d417709b0fb837fd6884a9bc5a55027dec8a985 (diff) | |
| download | busybox-w32-b4b12bf2344148976d1cd0f17bca0c0fbf7a364c.tar.gz busybox-w32-b4b12bf2344148976d1cd0f17bca0c0fbf7a364c.tar.bz2 busybox-w32-b4b12bf2344148976d1cd0f17bca0c0fbf7a364c.zip | |
httpd: defend against attempts to OOM us. Closes 9611
We were strdup'ing "Cookie: foo" every time we saw it.
function old new delta
handle_incoming_and_exit 2733 2821 +88
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
| -rw-r--r-- | networking/httpd.c | 48 |
1 files changed, 24 insertions, 24 deletions
diff --git a/networking/httpd.c b/networking/httpd.c index 39aad90a8..8703fbd3d 100644 --- a/networking/httpd.c +++ b/networking/httpd.c | |||
| @@ -460,11 +460,6 @@ struct globals { | |||
| 460 | #define ip_a_d (G.ip_a_d ) | 460 | #define ip_a_d (G.ip_a_d ) |
| 461 | #define g_realm (G.g_realm ) | 461 | #define g_realm (G.g_realm ) |
| 462 | #define remoteuser (G.remoteuser ) | 462 | #define remoteuser (G.remoteuser ) |
| 463 | #define referer (G.referer ) | ||
| 464 | #define user_agent (G.user_agent ) | ||
| 465 | #define host (G.host ) | ||
| 466 | #define http_accept (G.http_accept ) | ||
| 467 | #define http_accept_language (G.http_accept_language) | ||
| 468 | #define file_size (G.file_size ) | 463 | #define file_size (G.file_size ) |
| 469 | #if ENABLE_FEATURE_HTTPD_RANGES | 464 | #if ENABLE_FEATURE_HTTPD_RANGES |
| 470 | #define range_start (G.range_start ) | 465 | #define range_start (G.range_start ) |
| @@ -1529,11 +1524,11 @@ static void send_cgi_and_exit( | |||
| 1529 | #endif | 1524 | #endif |
| 1530 | } | 1525 | } |
| 1531 | } | 1526 | } |
| 1532 | setenv1("HTTP_USER_AGENT", user_agent); | 1527 | setenv1("HTTP_USER_AGENT", G.user_agent); |
| 1533 | if (http_accept) | 1528 | if (G.http_accept) |
| 1534 | setenv1("HTTP_ACCEPT", http_accept); | 1529 | setenv1("HTTP_ACCEPT", G.http_accept); |
| 1535 | if (http_accept_language) | 1530 | if (G.http_accept_language) |
| 1536 | setenv1("HTTP_ACCEPT_LANGUAGE", http_accept_language); | 1531 | setenv1("HTTP_ACCEPT_LANGUAGE", G.http_accept_language); |
| 1537 | if (post_len) | 1532 | if (post_len) |
| 1538 | putenv(xasprintf("CONTENT_LENGTH=%d", post_len)); | 1533 | putenv(xasprintf("CONTENT_LENGTH=%d", post_len)); |
| 1539 | if (cookie) | 1534 | if (cookie) |
| @@ -1546,9 +1541,9 @@ static void send_cgi_and_exit( | |||
| 1546 | putenv((char*)"AUTH_TYPE=Basic"); | 1541 | putenv((char*)"AUTH_TYPE=Basic"); |
| 1547 | } | 1542 | } |
| 1548 | #endif | 1543 | #endif |
| 1549 | if (referer) | 1544 | if (G.referer) |
| 1550 | setenv1("HTTP_REFERER", referer); | 1545 | setenv1("HTTP_REFERER", G.referer); |
| 1551 | setenv1("HTTP_HOST", host); /* set to "" if NULL */ | 1546 | setenv1("HTTP_HOST", G.host); /* set to "" if NULL */ |
| 1552 | /* setenv1("SERVER_NAME", safe_gethostname()); - don't do this, | 1547 | /* setenv1("SERVER_NAME", safe_gethostname()); - don't do this, |
| 1553 | * just run "env SERVER_NAME=xyz httpd ..." instead */ | 1548 | * just run "env SERVER_NAME=xyz httpd ..." instead */ |
| 1554 | 1549 | ||
| @@ -2269,10 +2264,8 @@ static void handle_incoming_and_exit(const len_and_sockaddr *fromAddr) | |||
| 2269 | #if ENABLE_FEATURE_HTTPD_PROXY | 2264 | #if ENABLE_FEATURE_HTTPD_PROXY |
| 2270 | /* We need 2 more bytes for yet another "\r\n" - | 2265 | /* We need 2 more bytes for yet another "\r\n" - |
| 2271 | * see near fdprintf(proxy_fd...) further below */ | 2266 | * see near fdprintf(proxy_fd...) further below */ |
| 2272 | if (proxy_entry && (header_ptr - header_buf) < IOBUF_SIZE - 2) { | 2267 | if (proxy_entry && (header_ptr - header_buf) < IOBUF_SIZE - 4) { |
| 2273 | int len = strlen(iobuf); | 2268 | int len = strnlen(iobuf, IOBUF_SIZE - (header_ptr - header_buf) - 4); |
| 2274 | if (len > IOBUF_SIZE - (header_ptr - header_buf) - 4) | ||
| 2275 | len = IOBUF_SIZE - (header_ptr - header_buf) - 4; | ||
| 2276 | memcpy(header_ptr, iobuf, len); | 2269 | memcpy(header_ptr, iobuf, len); |
| 2277 | header_ptr += len; | 2270 | header_ptr += len; |
| 2278 | header_ptr[0] = '\r'; | 2271 | header_ptr[0] = '\r'; |
| @@ -2303,19 +2296,26 @@ static void handle_incoming_and_exit(const len_and_sockaddr *fromAddr) | |||
| 2303 | #endif | 2296 | #endif |
| 2304 | #if ENABLE_FEATURE_HTTPD_CGI | 2297 | #if ENABLE_FEATURE_HTTPD_CGI |
| 2305 | else if (STRNCASECMP(iobuf, "Cookie:") == 0) { | 2298 | else if (STRNCASECMP(iobuf, "Cookie:") == 0) { |
| 2306 | cookie = xstrdup(skip_whitespace(iobuf + sizeof("Cookie:")-1)); | 2299 | if (!cookie) /* in case they send millions of these, do not OOM */ |
| 2300 | cookie = xstrdup(skip_whitespace(iobuf + sizeof("Cookie:")-1)); | ||
| 2307 | } else if (STRNCASECMP(iobuf, "Content-Type:") == 0) { | 2301 | } else if (STRNCASECMP(iobuf, "Content-Type:") == 0) { |
| 2308 | content_type = xstrdup(skip_whitespace(iobuf + sizeof("Content-Type:")-1)); | 2302 | if (!content_type) |
| 2303 | content_type = xstrdup(skip_whitespace(iobuf + sizeof("Content-Type:")-1)); | ||
| 2309 | } else if (STRNCASECMP(iobuf, "Referer:") == 0) { | 2304 | } else if (STRNCASECMP(iobuf, "Referer:") == 0) { |
| 2310 | referer = xstrdup(skip_whitespace(iobuf + sizeof("Referer:")-1)); | 2305 | if (!G.referer) |
| 2306 | G.referer = xstrdup(skip_whitespace(iobuf + sizeof("Referer:")-1)); | ||
| 2311 | } else if (STRNCASECMP(iobuf, "User-Agent:") == 0) { | 2307 | } else if (STRNCASECMP(iobuf, "User-Agent:") == 0) { |
| 2312 | user_agent = xstrdup(skip_whitespace(iobuf + sizeof("User-Agent:")-1)); | 2308 | if (!G.user_agent) |
| 2309 | G.user_agent = xstrdup(skip_whitespace(iobuf + sizeof("User-Agent:")-1)); | ||
| 2313 | } else if (STRNCASECMP(iobuf, "Host:") == 0) { | 2310 | } else if (STRNCASECMP(iobuf, "Host:") == 0) { |
| 2314 | host = xstrdup(skip_whitespace(iobuf + sizeof("Host:")-1)); | 2311 | if (!G.host) |
| 2312 | G.host = xstrdup(skip_whitespace(iobuf + sizeof("Host:")-1)); | ||
| 2315 | } else if (STRNCASECMP(iobuf, "Accept:") == 0) { | 2313 | } else if (STRNCASECMP(iobuf, "Accept:") == 0) { |
| 2316 | http_accept = xstrdup(skip_whitespace(iobuf + sizeof("Accept:")-1)); | 2314 | if (!G.http_accept) |
| 2315 | G.http_accept = xstrdup(skip_whitespace(iobuf + sizeof("Accept:")-1)); | ||
| 2317 | } else if (STRNCASECMP(iobuf, "Accept-Language:") == 0) { | 2316 | } else if (STRNCASECMP(iobuf, "Accept-Language:") == 0) { |
| 2318 | http_accept_language = xstrdup(skip_whitespace(iobuf + sizeof("Accept-Language:")-1)); | 2317 | if (!G.http_accept_language) |
| 2318 | G.http_accept_language = xstrdup(skip_whitespace(iobuf + sizeof("Accept-Language:")-1)); | ||
| 2319 | } | 2319 | } |
| 2320 | #endif | 2320 | #endif |
| 2321 | #if ENABLE_FEATURE_HTTPD_BASIC_AUTH | 2321 | #if ENABLE_FEATURE_HTTPD_BASIC_AUTH |