[Libwebsockets] lib/roles/http/parsers.c header copy possible overflow

Andy Green andy at warmcat.com
Fri Aug 27 07:01:23 CEST 2021



On 8/26/21 7:42 PM, UV 20 wrote:
> Hi, I am using v4.2-stable and found the following:
> 
> In the header copy function lws_hdr_copy() line 574, 577, 579 (see the 
> code at then end of this email), *dst is written with new separator in 
> buffer and dst++, but the variable len for remaining buffer length 
> doesn't decrease like line 569. So the checking of the remaining buffer 
> at line 562 doesn't prevent it from writing outside of the buffer anymore.

Thanks for letting me know, it is a bug.

IIUI, it boils down that for cookie headers with multiple cookies, a) 
lws_hdr_total_length() can tell you a smaller length (it doesn't deal 
with the separators the same as the copy) and b) lws_hdr_copy() doesn't 
account for the separators correctly either.

I pushed a patch on v4.2-stable here, please let me know if that solves 
it and I'll tag it out.

https://libwebsockets.org/git/libwebsockets/commit?id=a85b70bfe6f97431774f0f8045aee9608c4baa5c

-Andy







More information about the Libwebsockets mailing list