From 71f663b2056e9b0328783cb57b5db5baa5a317dc Mon Sep 17 00:00:00 2001 From: Karol Kosek Date: Sat, 16 Oct 2021 01:40:43 +0200 Subject: [PATCH] LibHTTP: Fix buffer overflow when body is larger than the Content-Length (Actually, this also needs a Content-Encoding header, as response streaming is disabled then. It didn't fit in the title.) We were creating too small buffer -- instead of assigning the total received buffer size, we were using the Content-Length value. As you can see, the m_buffered_size might now exceed the Content-Length value, but that will be handled in next commits, regardless if the response can be streamed or not. :^) Here's a minimal code that caused crash before: printf 'HTTP/1.0 200 OK\r\n%s\r\n%s\r\n\r\n%s' \ 'Content-Encoding: anything' 'Content-Length: 3' \ ':^)AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' | nc -lN 0.0.0.0 8000 pro http://0.0.0.0:8000 --- Userland/Libraries/LibHTTP/Job.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Userland/Libraries/LibHTTP/Job.cpp b/Userland/Libraries/LibHTTP/Job.cpp index 4b32fc4e47..aaed0d864a 100644 --- a/Userland/Libraries/LibHTTP/Job.cpp +++ b/Userland/Libraries/LibHTTP/Job.cpp @@ -383,7 +383,7 @@ void Job::finish_up() VERIFY(!m_has_scheduled_finish); m_state = State::Finished; if (!m_can_stream_response) { - auto flattened_buffer = ByteBuffer::create_uninitialized(m_received_size).release_value(); // FIXME: Handle possible OOM situation. + auto flattened_buffer = ByteBuffer::create_uninitialized(m_buffered_size).release_value(); // FIXME: Handle possible OOM situation. u8* flat_ptr = flattened_buffer.data(); for (auto& received_buffer : m_received_buffers) { memcpy(flat_ptr, received_buffer.data(), received_buffer.size());