diff options
| author | Denys Vlasenko <vda.linux@googlemail.com> | 2026-01-22 15:33:42 +0100 |
|---|---|---|
| committer | Denys Vlasenko <vda.linux@googlemail.com> | 2026-01-22 15:33:42 +0100 |
| commit | 52a88341d6782569ec4f29d5ffde1a246c296c2b (patch) | |
| tree | c8874478deba75e9143575b2a895a581cd792342 | |
| parent | f0a63eefae8af5989da4285416b371481fed4f46 (diff) | |
| download | busybox-w32-52a88341d6782569ec4f29d5ffde1a246c296c2b.tar.gz busybox-w32-52a88341d6782569ec4f29d5ffde1a246c296c2b.tar.bz2 busybox-w32-52a88341d6782569ec4f29d5ffde1a246c296c2b.zip | |
httpd: when reading headers, abort if they are too long
function old new delta
get_line 130 134 +4
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
| -rw-r--r-- | networking/httpd.c | 16 |
1 files changed, 9 insertions, 7 deletions
diff --git a/networking/httpd.c b/networking/httpd.c index 73f00ef39..d8d0f8dd9 100644 --- a/networking/httpd.c +++ b/networking/httpd.c | |||
| @@ -1308,20 +1308,22 @@ static void send_headers_and_exit(int responseNum) | |||
| 1308 | 1308 | ||
| 1309 | /* | 1309 | /* |
| 1310 | * Read from the socket until '\n' or EOF. | 1310 | * Read from the socket until '\n' or EOF. |
| 1311 | * Data is returned in iobuf[]. | ||
| 1311 | * '\r' chars are removed. | 1312 | * '\r' chars are removed. |
| 1312 | * '\n' is replaced with NUL. | 1313 | * '\n' is replaced with NUL. |
| 1313 | * Control chars and > 0x7e cause HTTP_BAD_REQUEST abort. | 1314 | * Control chars and 0x7f cause HTTP_BAD_REQUEST abort. |
| 1315 | * iobuf[] overflow causes HTTP_BAD_REQUEST abort. | ||
| 1314 | * Return number of characters read or 0 if nothing is read | 1316 | * Return number of characters read or 0 if nothing is read |
| 1315 | * ('\r' and '\n' are not counted). | 1317 | * ('\r' and '\n' are not counted). |
| 1316 | * Data is returned in iobuf. | ||
| 1317 | */ | 1318 | */ |
| 1318 | static unsigned get_line(void) | 1319 | static unsigned get_line(void) |
| 1319 | { | 1320 | { |
| 1320 | unsigned count; | 1321 | unsigned count; |
| 1321 | char c; | ||
| 1322 | 1322 | ||
| 1323 | count = 0; | 1323 | count = 0; |
| 1324 | while (1) { | 1324 | while (1) { |
| 1325 | unsigned char c; | ||
| 1326 | |||
| 1325 | if (hdr_cnt <= 0) { | 1327 | if (hdr_cnt <= 0) { |
| 1326 | alarm(HEADER_READ_TIMEOUT); | 1328 | alarm(HEADER_READ_TIMEOUT); |
| 1327 | hdr_cnt = safe_read(STDIN_FILENO, hdr_buf, sizeof_hdr_buf); | 1329 | hdr_cnt = safe_read(STDIN_FILENO, hdr_buf, sizeof_hdr_buf); |
| @@ -1342,13 +1344,13 @@ static unsigned get_line(void) | |||
| 1342 | /* rfc7230 allows tabs for header line continuation and as whitespace in values */ | 1344 | /* rfc7230 allows tabs for header line continuation and as whitespace in values */ |
| 1343 | if (c != '\t') { | 1345 | if (c != '\t') { |
| 1344 | /* Control chars aren't allowed in headers */ | 1346 | /* Control chars aren't allowed in headers */ |
| 1345 | if ((unsigned char)c < ' ' || (unsigned char)c == 0x7f) | 1347 | if (c < ' ' || c == 0x7f) |
| 1346 | send_headers_and_exit(HTTP_BAD_REQUEST); | 1348 | send_headers_and_exit(HTTP_BAD_REQUEST); |
| 1347 | /* hign bytes above 0x7f are heavily discouraged, but historically allowed */ | 1349 | /* hign bytes above 0x7f are heavily discouraged, but historically allowed */ |
| 1348 | } | 1350 | } |
| 1349 | iobuf[count] = c; | 1351 | iobuf[count++] = c; |
| 1350 | if (count < (IOBUF_SIZE - 1)) /* check overflow */ | 1352 | if (count >= IOBUF_SIZE) |
| 1351 | count++; | 1353 | send_headers_and_exit(HTTP_BAD_REQUEST); |
| 1352 | } | 1354 | } |
| 1353 | ret: | 1355 | ret: |
| 1354 | iobuf[count] = '\0'; | 1356 | iobuf[count] = '\0'; |