diff options
| author | Denys Vlasenko <vda.linux@googlemail.com> | 2018-04-08 18:06:24 +0200 |
|---|---|---|
| committer | Denys Vlasenko <vda.linux@googlemail.com> | 2018-04-08 18:06:24 +0200 |
| commit | 8e2174e9bd836e53c8b9c6e00d1bc6e2a718686e (patch) | |
| tree | eea0f2855d6cc97b50e979e280e39d7d6497bf9d | |
| parent | 7bcde5f00dc3a5c92f36bb6ef6bf849794cd766e (diff) | |
| download | busybox-w32-8e2174e9bd836e53c8b9c6e00d1bc6e2a718686e.tar.gz busybox-w32-8e2174e9bd836e53c8b9c6e00d1bc6e2a718686e.tar.bz2 busybox-w32-8e2174e9bd836e53c8b9c6e00d1bc6e2a718686e.zip | |
wget: check chunk length for overflowing off_t
function old new delta
retrieve_file_data 428 465 +37
wget_main 2386 2389 +3
------------------------------------------------------------------------------
(add/remove: 0/0 grow/shrink: 2/0 up/down: 40/0) Total: 40 bytes
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
| -rw-r--r-- | networking/wget.c | 14 |
1 files changed, 11 insertions, 3 deletions
diff --git a/networking/wget.c b/networking/wget.c index c9e576e69..2650b5384 100644 --- a/networking/wget.c +++ b/networking/wget.c | |||
| @@ -801,7 +801,7 @@ static FILE* prepare_ftp_session(FILE **dfpp, struct host_info *target, len_and_ | |||
| 801 | if (ftpcmd("SIZE ", target->path, sfp) == 213) { | 801 | if (ftpcmd("SIZE ", target->path, sfp) == 213) { |
| 802 | G.content_len = BB_STRTOOFF(G.wget_buf + 4, NULL, 10); | 802 | G.content_len = BB_STRTOOFF(G.wget_buf + 4, NULL, 10); |
| 803 | if (G.content_len < 0 || errno) { | 803 | if (G.content_len < 0 || errno) { |
| 804 | bb_error_msg_and_die("SIZE value is garbage"); | 804 | bb_error_msg_and_die("bad SIZE value '%s'", G.wget_buf + 4); |
| 805 | } | 805 | } |
| 806 | G.got_clen = 1; | 806 | G.got_clen = 1; |
| 807 | } | 807 | } |
| @@ -965,11 +965,19 @@ static void NOINLINE retrieve_file_data(FILE *dfp) | |||
| 965 | if (!G.chunked) | 965 | if (!G.chunked) |
| 966 | break; | 966 | break; |
| 967 | 967 | ||
| 968 | fgets_trim_sanitize(dfp, NULL); /* Eat empty line */ | 968 | /* Each chunk ends with "\r\n" - eat it */ |
| 969 | fgets_trim_sanitize(dfp, NULL); | ||
| 969 | get_clen: | 970 | get_clen: |
| 971 | /* chunk size format is "HEXNUM[;name[=val]]\r\n" */ | ||
| 970 | fgets_trim_sanitize(dfp, NULL); | 972 | fgets_trim_sanitize(dfp, NULL); |
| 973 | errno = 0; | ||
| 971 | G.content_len = STRTOOFF(G.wget_buf, NULL, 16); | 974 | G.content_len = STRTOOFF(G.wget_buf, NULL, 16); |
| 972 | /* FIXME: error check? */ | 975 | /* |
| 976 | * Had a bug with inputs like "ffffffff0001f400" | ||
| 977 | * smashing the heap later. Ensure >= 0. | ||
| 978 | */ | ||
| 979 | if (G.content_len < 0 || errno) | ||
| 980 | bb_error_msg_and_die("bad chunk length '%s'", G.wget_buf); | ||
| 973 | if (G.content_len == 0) | 981 | if (G.content_len == 0) |
| 974 | break; /* all done! */ | 982 | break; /* all done! */ |
| 975 | G.got_clen = 1; | 983 | G.got_clen = 1; |