Skip to content

Commit 324736b

Browse files
wes-jmagasrevywes-jmagasrevy
committed
Fixed bug caused by our failure to check if the '=' was found immediately following the 'boundary' parameter in a multipart request. Cisco/Talos reproduced this bug by simply sending the server a malformed request without everything that would normally su
1 parent 51b1a83 commit 324736b

File tree

1 file changed

+9
-4
lines changed

1 file changed

+9
-4
lines changed

Server/Source/http-s_req.c

Lines changed: 9 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1644,12 +1644,17 @@ static void HTTPsReq_HdrParse (HTTPs_INSTANCE *p_instance,
16441644
sizeof(HTTP_STR_MULTIPART_BOUNDARY));
16451645

16461646
if (p_val == DEF_NULL) {
1647-
*p_err = HTTPs_ERR_REQ_FORMAT_INVALID;
1648-
return;
1647+
*p_err = HTTPs_ERR_REQ_FORMAT_INVALID;
1648+
return;
16491649
}
16501650

16511651
/* Boundary located after '='. */
16521652
p_val = Str_Char_N(p_val, len, ASCII_CHAR_EQUALS_SIGN);
1653+
if (p_val == DEF_NULL) {
1654+
*p_err = HTTPs_ERR_REQ_FORMAT_INVALID;
1655+
return;
1656+
}
1657+
16531658
p_val++; /* Remove space before boundary val. */
16541659
p_val = HTTP_StrGraphSrchFirst(p_val,
16551660
len);
@@ -1676,8 +1681,8 @@ static void HTTPsReq_HdrParse (HTTPs_INSTANCE *p_instance,
16761681
}
16771682
}
16781683

1679-
} else { /* Should not occurs. */
1680-
*p_err = HTTPs_ERR_REQ_MORE_DATA_REQUIRED;
1684+
} else { /* Should not occur. */
1685+
*p_err = HTTPs_ERR_REQ_MORE_DATA_REQUIRED;
16811686
return;
16821687
}
16831688
break;

0 commit comments

Comments
 (0)