1
Fork 0
mirror of https://github.com/RGBCube/serenity synced 2025-07-25 22:57:44 +00:00

LibHTTP: Fix buffer overflow when body is larger than the Content-Length

(Actually, this also needs a Content-Encoding header, as response
streaming is disabled then. It didn't fit in the title.)

We were creating too small buffer -- instead of assigning the total
received buffer size, we were using the Content-Length value.

As you can see, the m_buffered_size might now exceed the Content-Length
value, but that will be handled in next commits, regardless if
the response can be streamed or not. :^)

Here's a minimal code that caused crash before:

  printf 'HTTP/1.0 200 OK\r\n%s\r\n%s\r\n\r\n%s' \
      'Content-Encoding: anything' 'Content-Length: 3' \
      ':^)AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' | nc -lN 0.0.0.0 8000
  pro http://0.0.0.0:8000
This commit is contained in:
Karol Kosek 2021-10-16 01:40:43 +02:00 committed by Andreas Kling
parent 87bd98fe8e
commit 71f663b205

View file

@ -383,7 +383,7 @@ void Job::finish_up()
VERIFY(!m_has_scheduled_finish);
m_state = State::Finished;
if (!m_can_stream_response) {
auto flattened_buffer = ByteBuffer::create_uninitialized(m_received_size).release_value(); // FIXME: Handle possible OOM situation.
auto flattened_buffer = ByteBuffer::create_uninitialized(m_buffered_size).release_value(); // FIXME: Handle possible OOM situation.
u8* flat_ptr = flattened_buffer.data();
for (auto& received_buffer : m_received_buffers) {
memcpy(flat_ptr, received_buffer.data(), received_buffer.size());