1 files changed, 19 insertions, 6 deletions
diff --git a/networking/httpd.c b/networking/httpd.c
index 00169c36d..ed15fd883 100644
--- a/networking/httpd.c
+++ b/networking/httpd.c
@@ -967,19 +967,30 @@ static void send_headers(int responseNum)
        }
 #endif
        if (responseNum == HTTP_MOVED_TEMPORARILY) {
-                len += sprintf(iobuf + len, "Location: %s/%s%s\r\n",
+                /* Responding to "GET /dir" with
+                 * "HTTP/1.0 302 Found" "Location: /dir/"
+                 * - IOW, asking them to repeat with a slash.
+                 * Here, overflow IS possible, can't use sprintf:
+                 * mkdir test
+                 * python -c 'print("get /test?" + ("x" * 8192))' | busybox httpd -i -h .
+                 */
+                len += snprintf(iobuf + len, IOBUF_SIZE-3 - len,
+                                "Location: %s/%s%s\r\n",
                                found_moved_temporarily,
                                (g_query ? "?" : ""),
                                (g_query ? g_query : ""));
+                if (len > IOBUF_SIZE-3)
+                        len = IOBUF_SIZE-3;
        }
 #if ENABLE_FEATURE_HTTPD_ERROR_PAGES
        if (error_page && access(error_page, R_OK) == 0) {
-                strcat(iobuf, "\r\n");
+                iobuf[len++] = '\r';
-                len += 2;
+                iobuf[len++] = '\n';
+                if (DEBUG) {
-                if (DEBUG)
+                        iobuf[len] = '\0';
                        fprintf(stderr, "headers: '%s'\n", iobuf);
+                }
                full_write(STDOUT_FILENO, iobuf, len);
                if (DEBUG)
                        fprintf(stderr, "writing error page: '%s'\n", error_page);
@@ -1021,8 +1032,10 @@ static void send_headers(int responseNum)
                                responseNum, responseString,
                                responseNum, responseString, infoString);
        }
-        if (DEBUG)
+        if (DEBUG) {
+                iobuf[len] = '\0';
                fprintf(stderr, "headers: '%s'\n", iobuf);
+        }
        if (full_write(STDOUT_FILENO, iobuf, len) != len) {
                if (verbose > 1)
                        bb_perror_msg("error");

diff --git a/networking/httpd.c b/networking/httpd.c index 00169c36d..ed15fd883 100644 --- a/networking/httpd.c +++ b/networking/httpd.c
@@ -967,19 +967,30 @@ static void send_headers(int responseNum)
967	}	967	}
968	#endif	968	#endif
969	if (responseNum == HTTP_MOVED_TEMPORARILY) {	969	if (responseNum == HTTP_MOVED_TEMPORARILY) {
970	len += sprintf(iobuf + len, "Location: %s/%s%s\r\n",	970	/* Responding to "GET /dir" with
		971	* "HTTP/1.0 302 Found" "Location: /dir/"
		972	* - IOW, asking them to repeat with a slash.
		973	* Here, overflow IS possible, can't use sprintf:
		974	* mkdir test
		975	* python -c 'print("get /test?" + ("x" * 8192))' \| busybox httpd -i -h .
		976	*/
		977	len += snprintf(iobuf + len, IOBUF_SIZE-3 - len,
		978	"Location: %s/%s%s\r\n",
971	found_moved_temporarily,	979	found_moved_temporarily,
972	(g_query ? "?" : ""),	980	(g_query ? "?" : ""),
973	(g_query ? g_query : ""));	981	(g_query ? g_query : ""));
		982	if (len > IOBUF_SIZE-3)
		983	len = IOBUF_SIZE-3;
974	}	984	}
975		985
976	#if ENABLE_FEATURE_HTTPD_ERROR_PAGES	986	#if ENABLE_FEATURE_HTTPD_ERROR_PAGES
977	if (error_page && access(error_page, R_OK) == 0) {	987	if (error_page && access(error_page, R_OK) == 0) {
978	strcat(iobuf, "\r\n");	988	iobuf[len++] = '\r';
979	len += 2;	989	iobuf[len++] = '\n';
980		990	if (DEBUG) {
981	if (DEBUG)	991	iobuf[len] = '\0';
982	fprintf(stderr, "headers: '%s'\n", iobuf);	992	fprintf(stderr, "headers: '%s'\n", iobuf);
		993	}
983	full_write(STDOUT_FILENO, iobuf, len);	994	full_write(STDOUT_FILENO, iobuf, len);
984	if (DEBUG)	995	if (DEBUG)
985	fprintf(stderr, "writing error page: '%s'\n", error_page);	996	fprintf(stderr, "writing error page: '%s'\n", error_page);
@@ -1021,8 +1032,10 @@ static void send_headers(int responseNum)
1021	responseNum, responseString,	1032	responseNum, responseString,
1022	responseNum, responseString, infoString);	1033	responseNum, responseString, infoString);
1023	}	1034	}
1024	if (DEBUG)	1035	if (DEBUG) {
		1036	iobuf[len] = '\0';
1025	fprintf(stderr, "headers: '%s'\n", iobuf);	1037	fprintf(stderr, "headers: '%s'\n", iobuf);
		1038	}
1026	if (full_write(STDOUT_FILENO, iobuf, len) != len) {	1039	if (full_write(STDOUT_FILENO, iobuf, len) != len) {
1027	if (verbose > 1)	1040	if (verbose > 1)
1028	bb_perror_msg("error");	1041	bb_perror_msg("error");