[tor-commits] [stegotorus/master] Vinod fixed a buf overflow bug in http_server_receive

[zwol at torproject.org]

commit 13527f93876020861ed6dc8701e94fc6beba0d45
Author: Steven Cheung <cheung at csl.sri.com>
Date:   Wed Dec 21 18:51:54 2011 +0000

    Vinod fixed a buf overflow bug in http_server_receive
    
    git-svn-id: svn+ssh://spartan.csl.sri.com/svn/private/DEFIANCE@188 a58ff0ac-194c-e011-a152-003048836090
---
 src/steg/http.cc |    8 +++++++-
 1 files changed, 7 insertions(+), 1 deletions(-)

diff --git a/src/steg/http.cc b/src/steg/http.cc
index e4bdb0e..47290b0 100644
--- a/src/steg/http.cc
+++ b/src/steg/http.cc
@@ -730,7 +730,7 @@ http_server_receive(http *s, conn_t *conn, struct evbuffer *dest, struct evbuffe
     c = 0;
 
 
-    while (strncmp((char*) p, "\r\n", 2) != 0 && (cookie_mode != 0 || p[0] != '.')) {
+    while (strncmp((char*) p, "\r\n", 2) != 0 && (cookie_mode != 0 || p[0] != '.') && sofar < MAX_COOKIE_SIZE) {
       if (!secondhalf)
         c = 0;
       if ('0' <= *p && *p <= '9')
@@ -751,6 +751,12 @@ http_server_receive(http *s, conn_t *conn, struct evbuffer *dest, struct evbuffe
       p++;
     }
 
+
+    if (sofar >= MAX_COOKIE_SIZE) {
+       fprintf(stderr, "cookie buffer overflow\n"); 
+       exit(-1);
+    }
+
     outbuf[sofar] = 0;
 
     if (secondhalf) {