fix: mitigate potential security buffer-overflows

This commit is contained in:
0xdeadbeer 2024-09-03 22:09:09 +02:00
parent b33e45ff35
commit a20c833796
3 changed files with 34 additions and 9 deletions

2
README
View File

@ -18,7 +18,7 @@ LEAKS
TODO TODO
* headers table needs length fields * headers table needs length fields
* implement tests * implement tests
* integrations with tinyproxy..? * integrations with tinyproxy..?

Binary file not shown.

View File

@ -44,7 +44,7 @@ int parse_header(char *offset, int len) {
char *cursor_lim = offset+len; char *cursor_lim = offset+len;
// header title // header title
char *htitle_lim = strchr(offset, ':'); char *htitle_lim = strchr(cursor, ':');
if (!htitle_lim) { if (!htitle_lim) {
return -1; return -1;
} }
@ -62,8 +62,17 @@ int parse_header(char *offset, int len) {
cursor += diff; cursor += diff;
// white space and seperators // white space and seperators
while (*cursor == ':' || *cursor == ' ') { _loop:
if (cursor > cursor_lim) {
return -1;
}
if (*cursor == ':') {
cursor++;
goto _loop;
}
if (*cursor == ' ') {
cursor++; cursor++;
goto _loop;
} }
// header value // header value
@ -86,6 +95,9 @@ int parse_title(char *offset, int len) {
if (!method_lim) { if (!method_lim) {
return -1; return -1;
} }
if (method_lim > cursor_lim) {
return -1;
}
diff = method_lim-cursor; diff = method_lim-cursor;
ret = streencmp(method_tree, cursor, diff); ret = streencmp(method_tree, cursor, diff);
@ -97,8 +109,13 @@ int parse_title(char *offset, int len) {
cursor += diff; cursor += diff;
// white space // white space
while (*cursor == ' ') { _loop1:
if (cursor > cursor_lim) {
return -1;
}
if (*cursor == ' ') {
cursor++; cursor++;
goto _loop1;
} }
// uri // uri
@ -106,6 +123,9 @@ int parse_title(char *offset, int len) {
if (!uri_lim) { if (!uri_lim) {
return -1; return -1;
} }
if (uri_lim > cursor_lim) {
return -1;
}
diff = uri_lim-cursor; diff = uri_lim-cursor;
uri = cursor; uri = cursor;
@ -114,8 +134,13 @@ int parse_title(char *offset, int len) {
cursor += diff; cursor += diff;
// white space // white space
while (*cursor == ' ') { _loop2:
if (cursor > cursor_lim) {
return -1;
}
if (*cursor == ' ') {
cursor++; cursor++;
goto _loop2;
} }
// ver // ver
@ -160,9 +185,9 @@ int parse_request(char *buffer) {
void debug_stats(void) { void debug_stats(void) {
fprintf(stderr, "\tstats:\n" fprintf(stderr, "\tstats:\n"
"\t\tmethod: %d\n" "\t\tmethod\t: %d\n"
"\t\turi : %.*s\n" "\t\turi\t: %.*s\n"
"\t\tver : %.*s\n", "\t\tver\t: %.*s\n",
method, uri_len, uri, ver_len, ver method, uri_len, uri, ver_len, ver
); );
@ -173,7 +198,7 @@ void debug_stats(void) {
continue; continue;
} }
fprintf(stdout, "\t\t%d: %.*s\n", i, pnt->len, pnt->er); fprintf(stdout, "\t\t%d\t: %.*s\n", i, pnt->len, pnt->er);
} }
} }