emo/busybox
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

remove buffer overflow by Erik and decodeString problem by Glenn, add error check of decodeString as Apache

Browse Source
This commit is contained in:
"Vladimir N. Oleynik" 2005-12-26 17:26:59 +00:00
parent ce88793698
commit 0bf67e849a
1 changed files with 23 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
networking/httpd.c
View File

@ -747,7 +747,7 @@ static char *encodeString(const char *string)
/* take the simple route and encode everything */ /* take the simple route and encode everything */
/* could possibly scan once to get length. */ /* could possibly scan once to get length. */
int len = strlen(string); int len = strlen(string);
char *out = malloc(len*5 +1); char *out = malloc(len * 6 + 1);
char *p=out; char *p=out;
char ch; char ch;
@ -792,10 +792,21 @@ static char *decodeString(char *orig, int flag_plus_to_space)
if (*ptr == '+' && flag_plus_to_space) { *string++ = ' '; ptr++; } if (*ptr == '+' && flag_plus_to_space) { *string++ = ' '; ptr++; }
else if (*ptr != '%') *string++ = *ptr++; else if (*ptr != '%') *string++ = *ptr++;
else { else {
unsigned int value; unsigned int value1, value2;
sscanf(ptr+1, "%2X", &value);
*string++ = value; ptr++;
ptr += 3; if(sscanf(ptr, "%1X", &value1) != 1 ||
sscanf(ptr+1, "%1X", &value2) != 1) {
if(!flag_plus_to_space)
return NULL;
*string++ = '%';
} else {
value1 = value1 * 16 + value2;
if(value1 == '/' || value1 == 0)
return orig+1;
*string++ = value1;
ptr += 2;
}
} }
} }
*string = '\0'; *string = '\0';
@ -1604,7 +1615,13 @@ BAD_REQUEST:
*purl = ' '; *purl = ' ';
count = sscanf(purl, " %[^ ] HTTP/%d.%*d", buf, &blank); count = sscanf(purl, " %[^ ] HTTP/%d.%*d", buf, &blank);
decodeString(buf, 0); test = decodeString(buf, 0);
if(test == NULL)
goto BAD_REQUEST;
if(test == (buf+1)) {
sendHeaders(HTTP_NOT_FOUND);
break;
}
if (count < 1 || buf[0] != '/') { if (count < 1 || buf[0] != '/') {
/* Garbled request/URL */ /* Garbled request/URL */
goto BAD_REQUEST; goto BAD_REQUEST;