aboutsummaryrefslogtreecommitdiffstats
path: root/src/wps
diff options
context:
space:
mode:
authorJouni Malinen <j@w1.fi>2015-04-28 14:23:06 (GMT)
committerJouni Malinen <j@w1.fi>2015-05-03 15:26:50 (GMT)
commit7da4f4b4991c85f1122a4591d8a4b7dd3bd12b4e (patch)
tree05c4e025b9fb6a764ffe7d1acb0de3192c1bd30d /src/wps
parentaf185d0b578fc447b1db0b42a03d8b2467decffd (diff)
downloadhostap-7da4f4b4991c85f1122a4591d8a4b7dd3bd12b4e.zip
hostap-7da4f4b4991c85f1122a4591d8a4b7dd3bd12b4e.tar.gz
hostap-7da4f4b4991c85f1122a4591d8a4b7dd3bd12b4e.tar.bz2
WPS: Check maximum HTTP body length earlier in the process
There is no need to continue processing a HTTP body when it becomes clear that the end result would be over the maximum length. Signed-off-by: Jouni Malinen <j@w1.fi>
Diffstat (limited to 'src/wps')
-rw-r--r--src/wps/httpread.c13
1 files changed, 13 insertions, 0 deletions
diff --git a/src/wps/httpread.c b/src/wps/httpread.c
index 3570a1f..454519c 100644
--- a/src/wps/httpread.c
+++ b/src/wps/httpread.c
@@ -177,6 +177,12 @@ static int httpread_hdr_option_analyze(
if (!isdigit(*hbp))
return -1;
h->content_length = atol(hbp);
+ if (h->content_length < 0 || h->content_length > h->max_bytes) {
+ wpa_printf(MSG_DEBUG,
+ "httpread: Unacceptable Content-Length %d",
+ h->content_length);
+ return -1;
+ }
h->got_content_length = 1;
return 0;
}
@@ -509,6 +515,13 @@ static void httpread_read_handler(int sd, void *eloop_ctx, void *sock_ctx)
if (h->got_content_length &&
new_alloc_nbytes < (h->content_length + 1))
new_alloc_nbytes = h->content_length + 1;
+ if (new_alloc_nbytes < h->body_alloc_nbytes ||
+ new_alloc_nbytes > h->max_bytes) {
+ wpa_printf(MSG_DEBUG,
+ "httpread: Unacceptable body length %d",
+ new_alloc_nbytes);
+ goto bad;
+ }
if ((new_body = os_realloc(h->body, new_alloc_nbytes))
== NULL)
goto bad;