aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJouni Malinen <j@w1.fi>2015-08-24 21:17:00 (GMT)
committerJouni Malinen <j@w1.fi>2015-08-24 21:17:00 (GMT)
commit2ce741fe0f7335dd8a6ca787d3ad95748e0f8d2f (patch)
treeea0c00a1b3c44e442b588d4c78205e3477cc2239
parent20f331b7072b07e08f9600512356f6cf559cb3a3 (diff)
downloadhostap-2ce741fe0f7335dd8a6ca787d3ad95748e0f8d2f.zip
hostap-2ce741fe0f7335dd8a6ca787d3ad95748e0f8d2f.tar.gz
hostap-2ce741fe0f7335dd8a6ca787d3ad95748e0f8d2f.tar.bz2
WPS: Fix HTTP body length check
Commit 7da4f4b4991c85f1122a4591d8a4b7dd3bd12b4e ('WPS: Check maximum HTTP body length earlier in the process') added too strict check for body length allocation. The comparison of new_alloc_nbytes against h->max_bytes did not take into account that HTTPREAD_BODYBUF_DELTA was added to previous allocation even if that ended up going beyond h->max_bytes. This ended up rejecting some valid HTTP operations, e.g., when checking AP response to WPS ER setting selected registrar. Fix this by taking HTTPREAD_BODYBUF_DELTA into account. Signed-off-by: Jouni Malinen <j@w1.fi>
-rw-r--r--src/wps/httpread.c9
1 files changed, 6 insertions, 3 deletions
diff --git a/src/wps/httpread.c b/src/wps/httpread.c
index 180b572..d6c2b62 100644
--- a/src/wps/httpread.c
+++ b/src/wps/httpread.c
@@ -506,10 +506,13 @@ static void httpread_read_handler(int sd, void *eloop_ctx, void *sock_ctx)
new_alloc_nbytes < (h->content_length + 1))
new_alloc_nbytes = h->content_length + 1;
if (new_alloc_nbytes < h->body_alloc_nbytes ||
- new_alloc_nbytes > h->max_bytes) {
+ new_alloc_nbytes > h->max_bytes +
+ HTTPREAD_BODYBUF_DELTA) {
wpa_printf(MSG_DEBUG,
- "httpread: Unacceptable body length %d",
- new_alloc_nbytes);
+ "httpread: Unacceptable body length %d (body_alloc_nbytes=%u max_bytes=%u)",
+ new_alloc_nbytes,
+ h->body_alloc_nbytes,
+ h->max_bytes);
goto bad;
}
if ((new_body = os_realloc(h->body, new_alloc_nbytes))