fix: mitigate potential security buffer-overflows

This commit is contained in:
0xdeadbeer 2024-09-03 22:09:09 +02:00
parent b33e45ff35
commit a20c833796
3 changed files with 34 additions and 9 deletions

2
README
View File

@ -18,7 +18,7 @@ LEAKS
TODO
* headers table needs length fields
* headers table needs length fields
* implement tests
* integrations with tinyproxy..?

Binary file not shown.

View File

@ -44,7 +44,7 @@ int parse_header(char *offset, int len) {
char *cursor_lim = offset+len;
// header title
char *htitle_lim = strchr(offset, ':');
char *htitle_lim = strchr(cursor, ':');
if (!htitle_lim) {
return -1;
}
@ -62,8 +62,17 @@ int parse_header(char *offset, int len) {
cursor += diff;
// white space and seperators
while (*cursor == ':' || *cursor == ' ') {
_loop:
if (cursor > cursor_lim) {
return -1;
}
if (*cursor == ':') {
cursor++;
goto _loop;
}
if (*cursor == ' ') {
cursor++;
goto _loop;
}
// header value
@ -86,6 +95,9 @@ int parse_title(char *offset, int len) {
if (!method_lim) {
return -1;
}
if (method_lim > cursor_lim) {
return -1;
}
diff = method_lim-cursor;
ret = streencmp(method_tree, cursor, diff);
@ -97,8 +109,13 @@ int parse_title(char *offset, int len) {
cursor += diff;
// white space
while (*cursor == ' ') {
_loop1:
if (cursor > cursor_lim) {
return -1;
}
if (*cursor == ' ') {
cursor++;
goto _loop1;
}
// uri
@ -106,6 +123,9 @@ int parse_title(char *offset, int len) {
if (!uri_lim) {
return -1;
}
if (uri_lim > cursor_lim) {
return -1;
}
diff = uri_lim-cursor;
uri = cursor;
@ -114,8 +134,13 @@ int parse_title(char *offset, int len) {
cursor += diff;
// white space
while (*cursor == ' ') {
_loop2:
if (cursor > cursor_lim) {
return -1;
}
if (*cursor == ' ') {
cursor++;
goto _loop2;
}
// ver
@ -160,9 +185,9 @@ int parse_request(char *buffer) {
void debug_stats(void) {
fprintf(stderr, "\tstats:\n"
"\t\tmethod: %d\n"
"\t\turi : %.*s\n"
"\t\tver : %.*s\n",
"\t\tmethod\t: %d\n"
"\t\turi\t: %.*s\n"
"\t\tver\t: %.*s\n",
method, uri_len, uri, ver_len, ver
);
@ -173,7 +198,7 @@ void debug_stats(void) {
continue;
}
fprintf(stdout, "\t\t%d: %.*s\n", i, pnt->len, pnt->er);
fprintf(stdout, "\t\t%d\t: %.*s\n", i, pnt->len, pnt->er);
}
}