1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38
|
From 9eb5dfe7bb8c0e07ec3a5eaf5ffdbb20a4fb0d4c Mon Sep 17 00:00:00 2001
From: Tomasz Wasilczyk <twasilczyk@pidgin.im>
Date: Wed, 29 Jan 2014 13:52:49 +0100
Subject: [PATCH 2/3] Fix CVE-2013-6487: a possible buffer overflow when
parsing HTTP response
---
src/http.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/src/http.c b/src/http.c
index 53fafeb..901289f 100644
--- a/src/http.c
+++ b/src/http.c
@@ -43,6 +43,8 @@
#include <string.h>
#include <unistd.h>
+#define GG_HTTP_MAX_LENGTH 1000000000
+
/**
* Rozpoczyna połączenie HTTP.
*
@@ -360,6 +362,11 @@ int gg_http_watch_fd(struct gg_http *h)
h->body_size = left;
}
+ if (h->body_size > GG_HTTP_MAX_LENGTH) {
+ gg_debug(GG_DEBUG_MISC, "=> http, content-length too big\n");
+ h->body_size = GG_HTTP_MAX_LENGTH;
+ }
+
if (left > h->body_size) {
gg_debug(GG_DEBUG_MISC, "=> http, oversized reply (%d bytes needed, %d bytes left)\n", h->body_size, left);
h->body_size = left;
--
1.8.5.3
|