mirror of
https://github.com/RGBCube/serenity
synced 2025-07-25 22:57:44 +00:00
LibHTTP: Fix buffer overflow when body is larger than the Content-Length
(Actually, this also needs a Content-Encoding header, as response streaming is disabled then. It didn't fit in the title.) We were creating too small buffer -- instead of assigning the total received buffer size, we were using the Content-Length value. As you can see, the m_buffered_size might now exceed the Content-Length value, but that will be handled in next commits, regardless if the response can be streamed or not. :^) Here's a minimal code that caused crash before: printf 'HTTP/1.0 200 OK\r\n%s\r\n%s\r\n\r\n%s' \ 'Content-Encoding: anything' 'Content-Length: 3' \ ':^)AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' | nc -lN 0.0.0.0 8000 pro http://0.0.0.0:8000
This commit is contained in:
parent
87bd98fe8e
commit
71f663b205
1 changed files with 1 additions and 1 deletions
|
@ -383,7 +383,7 @@ void Job::finish_up()
|
|||
VERIFY(!m_has_scheduled_finish);
|
||||
m_state = State::Finished;
|
||||
if (!m_can_stream_response) {
|
||||
auto flattened_buffer = ByteBuffer::create_uninitialized(m_received_size).release_value(); // FIXME: Handle possible OOM situation.
|
||||
auto flattened_buffer = ByteBuffer::create_uninitialized(m_buffered_size).release_value(); // FIXME: Handle possible OOM situation.
|
||||
u8* flat_ptr = flattened_buffer.data();
|
||||
for (auto& received_buffer : m_received_buffers) {
|
||||
memcpy(flat_ptr, received_buffer.data(), received_buffer.size());
|
||||
|
|
Loading…
Add table
Add a link
Reference in a new issue