diff options
| author | Liangbin Lian | 2023-04-24 03:53:16 +0000 |
|---|---|---|
| committer | Hauke Mehrtens | 2023-06-25 17:24:45 +0000 |
| commit | 34a8a74dbdec3c0de38abc1b08f6a73c51263792 (patch) | |
| tree | 79c8039dcc147b4c9971605983844ab49418edaa | |
| parent | 47561aa13574068403d48f13ea310f8511057b2b (diff) | |
| download | uhttpd-34a8a74dbdec3c0de38abc1b08f6a73c51263792.tar.gz | |
uhttpd/file: fix string out of buffer range on uh_defer_script
if a url path length is multiple of 8, tailing zero will be trimed out on uh_defer_script, cause a strangle error.
it's simple to reproduce.
1. create a luci controller, register a entry with path length multiple of 8 (including '/cgi-bin/'), for example, '/cgi-bin/luci/admin/system/admin'.
2. set uhttpd max_requests to 1, and restart uhttpd
3. request '/cgi-bin/luci/admin/system/admin' with at least 2 process
4. some responses will produce a error:
```
Unable to launch the requested CGI program:
/www/cgi-bin/luci: No such file or directory
```
Signed-off-by: Liangbin Lian <jjm2473@gmail.com>
| -rw-r--r-- | file.c | 4 |
1 files changed, 2 insertions, 2 deletions
@@ -797,7 +797,7 @@ uh_defer_script(struct client *cl, struct dispatch_handler *d, char *url, struct /* allocate enough memory to duplicate all path_info strings in one block */ #undef _field #define _field(_name) &_##_name, field_len(pi->_name), - dr = calloc_a(sizeof(*dr), &_url, strlen(url), path_info_fields NULL); + dr = calloc_a(sizeof(*dr), &_url, strlen(url) + 1, path_info_fields NULL); memcpy(&dr->pi, pi, sizeof(*pi)); dr->path = true; @@ -807,7 +807,7 @@ uh_defer_script(struct client *cl, struct dispatch_handler *d, char *url, struct #define _field(_name) if (pi->_name) dr->pi._name = strcpy(_##_name, pi->_name); path_info_fields } else { - dr = calloc_a(sizeof(*dr), &_url, strlen(url), NULL); + dr = calloc_a(sizeof(*dr), &_url, strlen(url) + 1, NULL); } cl->dispatch.req_data = dr; |