Merge branch 'bugfix/http_client_buffer_overflow_v3.3' into 'release/v3.3'

Fix HTTP client buffer overflow (v3.3) See merge request espressif/esp-idf!6667
2019-12-16 11:31:55 +08:00 · 2019-12-16 11:31:55 +08:00 · ce9ec29737
parent 7b73cf613c 40d5f61c4d
commit ce9ec29737
1 changed files with 7 additions and 0 deletions
--- a/components/esp_http_client/lib/http_header.c
+++ b/components/esp_http_client/lib/http_header.c
@ -178,6 +178,8 @@ int http_header_generate_string(http_header_handle_t header, int index, char *bu
    int idx = 0;
    int ret_idx = -1;
    bool is_end = false;
+
+    // iterate over the header entries to calculate buffer size and determine last item
    STAILQ_FOREACH(item, header, next) {
        if (item->value && idx >= index) {
            siz += strlen(item->key);
@ -187,7 +189,9 @@ int http_header_generate_string(http_header_handle_t header, int index, char *bu
        idx ++;

        if (siz + 1 > *buffer_len - 2) {
+            // if this item would not fit to the buffer, return the index of the last fitting one
            ret_idx = idx - 1;
+            break;
        }
    }

@ -195,10 +199,12 @@ int http_header_generate_string(http_header_handle_t header, int index, char *bu
        return 0;
    }
    if (ret_idx < 0) {
+        // all items would fit, mark this as the end of http header string
        ret_idx = idx;
        is_end = true;
    }

+    // iterate again over the header entries to write only the fitting indeces
    int str_len = 0;
    idx = 0;
    STAILQ_FOREACH(item, header, next) {
@ -208,6 +214,7 @@ int http_header_generate_string(http_header_handle_t header, int index, char *bu
        idx ++;
    }
    if (is_end) {
+        // write the http header terminator if all header entries have been written in this function call
        str_len += snprintf(buffer + str_len, *buffer_len - str_len, "\r\n");
    }
    *buffer_len = str_len;