From 4e20fe9f061cfe34118bc12a96842f8f5f162d3b Mon Sep 17 00:00:00 2001 From: Richard Mudgett Date: Thu, 30 Aug 2018 14:42:06 -0500 Subject: [PATCH] http.c: Give HTTP error response when received lines are too long. Added a check when we receive a HTTP request line or header line that is too long. We now return an error response to the sender because we are not able to process the request. Change-Id: I6df2705435fd7dde4d5d3bdf7acec859cfb7c12d --- main/http.c | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/main/http.c b/main/http.c index e8d395b154..15c6da29b7 100644 --- a/main/http.c +++ b/main/http.c @@ -1772,6 +1772,7 @@ static int http_request_headers_get(struct ast_tcptls_session_instance *ser, str remaining_headers = MAX_HTTP_REQUEST_HEADERS; for (;;) { + size_t len; char *name; char *value; @@ -1779,6 +1780,13 @@ static int http_request_headers_get(struct ast_tcptls_session_instance *ser, str ast_http_error(ser, 400, "Bad Request", "Timeout"); return -1; } + len = strlen(header_line); + if (!len || header_line[len - 1] != '\n') { + /* We didn't get a full line */ + ast_http_error(ser, 400, "Bad Request", + (len == sizeof(header_line) - 1) ? "Header line too long" : "Timeout"); + return -1; + } /* Trim trailing characters */ ast_trim_blanks(header_line); @@ -1847,6 +1855,7 @@ static int httpd_process_request(struct ast_tcptls_session_instance *ser) struct http_worker_private_data *request; enum ast_http_method http_method = AST_HTTP_UNKNOWN; int res; + size_t len; char request_line[MAX_HTTP_LINE_LENGTH]; if (!fgets(request_line, sizeof(request_line), ser->f)) { @@ -1857,6 +1866,14 @@ static int httpd_process_request(struct ast_tcptls_session_instance *ser) request = ser->private_data; http_request_tracking_init(request); + len = strlen(request_line); + if (!len || request_line[len - 1] != '\n') { + /* We didn't get a full line */ + ast_http_error(ser, 400, "Bad Request", + (len == sizeof(request_line) - 1) ? "Request line too long" : "Timeout"); + return -1; + } + /* Get method */ method = ast_skip_blanks(request_line); uri = ast_skip_nonblanks(method);