svn commit: trunk/busybox/networking
vodz at busybox.net
vodz at busybox.net
Mon Dec 26 17:27:03 UTC 2005
Author: vodz
Date: 2005-12-26 09:26:59 -0800 (Mon, 26 Dec 2005)
New Revision: 12978
Log:
remove buffer overflow by Erik and decodeString problem by Glenn, add error check of decodeString as Apache
Modified:
trunk/busybox/networking/httpd.c
Changeset:
Modified: trunk/busybox/networking/httpd.c
===================================================================
--- trunk/busybox/networking/httpd.c 2005-12-24 02:30:28 UTC (rev 12977)
+++ trunk/busybox/networking/httpd.c 2005-12-26 17:26:59 UTC (rev 12978)
@@ -747,7 +747,7 @@
/* take the simple route and encode everything */
/* could possibly scan once to get length. */
int len = strlen(string);
- char *out = malloc(len*5 +1);
+ char *out = malloc(len * 6 + 1);
char *p=out;
char ch;
@@ -792,10 +792,21 @@
if (*ptr == '+' && flag_plus_to_space) { *string++ = ' '; ptr++; }
else if (*ptr != '%') *string++ = *ptr++;
else {
- unsigned int value;
- sscanf(ptr+1, "%2X", &value);
- *string++ = value;
- ptr += 3;
+ unsigned int value1, value2;
+
+ ptr++;
+ if(sscanf(ptr, "%1X", &value1) != 1 ||
+ sscanf(ptr+1, "%1X", &value2) != 1) {
+ if(!flag_plus_to_space)
+ return NULL;
+ *string++ = '%';
+ } else {
+ value1 = value1 * 16 + value2;
+ if(value1 == '/' || value1 == 0)
+ return orig+1;
+ *string++ = value1;
+ ptr += 2;
+ }
}
}
*string = '\0';
@@ -1604,7 +1615,13 @@
*purl = ' ';
count = sscanf(purl, " %[^ ] HTTP/%d.%*d", buf, &blank);
- decodeString(buf, 0);
+ test = decodeString(buf, 0);
+ if(test == NULL)
+ goto BAD_REQUEST;
+ if(test == (buf+1)) {
+ sendHeaders(HTTP_NOT_FOUND);
+ break;
+ }
if (count < 1 || buf[0] != '/') {
/* Garbled request/URL */
goto BAD_REQUEST;
More information about the busybox-cvs
mailing list