From 95c90076683d0f8e68cd53cc9f62acc40f4477a6 Mon Sep 17 00:00:00 2001 From: YAMAMOTO Takashi Date: Fri, 14 May 2021 11:24:58 +0900 Subject: [PATCH] webclient: Fix buffer overrun in wget_parsestatus Similarly to the fix in wget_parseheaders. But simply always bail out as i guess it's very rare to see that long status line. Tested with an aritifically small CONFIG_WEBCLIENT_MAXHTTPLINE=20, which is smaller than "HTTP/1.1 301 Moved Permanently". --- netutils/webclient/webclient.c | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/netutils/webclient/webclient.c b/netutils/webclient/webclient.c index 7f84ccc00..72f5585cc 100644 --- a/netutils/webclient/webclient.c +++ b/netutils/webclient/webclient.c @@ -376,9 +376,20 @@ static inline int wget_parsestatus(struct webclient_context *ctx, while (offset < ws->datend) { + bool got_nl; + ws->line[ndx] = ws->buffer[offset]; - if (ws->line[ndx] == ISO_NL) + got_nl = ws->line[ndx] == ISO_NL; + if (got_nl || ndx == CONFIG_WEBCLIENT_MAXHTTPLINE - 1) { + if (!got_nl) + { + nerr("ERROR: HTTP status line didn't fit " + "CONFIG_WEBCLIENT_MAXHTTPLINE: %.*s\n", + ndx, ws->line); + return -E2BIG; + } + ws->line[ndx] = '\0'; if ((strncmp(ws->line, g_http10, strlen(g_http10)) == 0) || (strncmp(ws->line, g_http11, strlen(g_http11)) == 0))