[Libwebsockets] lib/roles/http/parsers.c header copy possible overflow

UV 20 sas2016spss at gmail.com
Fri Aug 27 17:53:54 CEST 2021


I reviewed and tested the patch. It works well on my header with multiple
cookies. Thanks.

On Thu, Aug 26, 2021 at 10:01 PM Andy Green <andy at warmcat.com> wrote:

>
>
> On 8/26/21 7:42 PM, UV 20 wrote:
> > Hi, I am using v4.2-stable and found the following:
> >
> > In the header copy function lws_hdr_copy() line 574, 577, 579 (see the
> > code at then end of this email), *dst is written with new separator in
> > buffer and dst++, but the variable len for remaining buffer length
> > doesn't decrease like line 569. So the checking of the remaining buffer
> > at line 562 doesn't prevent it from writing outside of the buffer
> anymore.
>
> Thanks for letting me know, it is a bug.
>
> IIUI, it boils down that for cookie headers with multiple cookies, a)
> lws_hdr_total_length() can tell you a smaller length (it doesn't deal
> with the separators the same as the copy) and b) lws_hdr_copy() doesn't
> account for the separators correctly either.
>
> I pushed a patch on v4.2-stable here, please let me know if that solves
> it and I'll tag it out.
>
>
> https://libwebsockets.org/git/libwebsockets/commit?id=a85b70bfe6f97431774f0f8045aee9608c4baa5c
>
> -Andy
>
>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://libwebsockets.org/pipermail/libwebsockets/attachments/20210827/f27288e1/attachment.htm>


More information about the Libwebsockets mailing list