From b7a9f5e115ca8d58186baad061251365c9dededd Mon Sep 17 00:00:00 2001 From: David Cermak Date: Tue, 5 Nov 2019 09:44:06 +0100 Subject: [PATCH 1/2] http_client: possible buffer overflow fixed when determining last header item to be written closes IDF-694 --- components/esp_http_client/lib/http_header.c | 1 + 1 file changed, 1 insertion(+) diff --git a/components/esp_http_client/lib/http_header.c b/components/esp_http_client/lib/http_header.c index b771f6f6e..ec69aa215 100644 --- a/components/esp_http_client/lib/http_header.c +++ b/components/esp_http_client/lib/http_header.c @@ -188,6 +188,7 @@ int http_header_generate_string(http_header_handle_t header, int index, char *bu if (siz + 1 > *buffer_len - 2) { ret_idx = idx - 1; + break; } } From 40d5f61c4dddce5dbfefe4aa330f00047f4b3172 Mon Sep 17 00:00:00 2001 From: David Cermak Date: Tue, 5 Nov 2019 09:53:29 +0100 Subject: [PATCH 2/2] http_client: added comments to http header generation function --- components/esp_http_client/lib/http_header.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/components/esp_http_client/lib/http_header.c b/components/esp_http_client/lib/http_header.c index ec69aa215..0e41786ec 100644 --- a/components/esp_http_client/lib/http_header.c +++ b/components/esp_http_client/lib/http_header.c @@ -178,6 +178,8 @@ int http_header_generate_string(http_header_handle_t header, int index, char *bu int idx = 0; int ret_idx = -1; bool is_end = false; + + // iterate over the header entries to calculate buffer size and determine last item STAILQ_FOREACH(item, header, next) { if (item->value && idx >= index) { siz += strlen(item->key); @@ -187,6 +189,7 @@ int http_header_generate_string(http_header_handle_t header, int index, char *bu idx ++; if (siz + 1 > *buffer_len - 2) { + // if this item would not fit to the buffer, return the index of the last fitting one ret_idx = idx - 1; break; } @@ -196,10 +199,12 @@ int http_header_generate_string(http_header_handle_t header, int index, char *bu return 0; } if (ret_idx < 0) { + // all items would fit, mark this as the end of http header string ret_idx = idx; is_end = true; } + // iterate again over the header entries to write only the fitting indeces int str_len = 0; idx = 0; STAILQ_FOREACH(item, header, next) { @@ -209,6 +214,7 @@ int http_header_generate_string(http_header_handle_t header, int index, char *bu idx ++; } if (is_end) { + // write the http header terminator if all header entries have been written in this function call str_len += snprintf(buffer + str_len, *buffer_len - str_len, "\r\n"); } *buffer_len = str_len;