MFC: os: Make sure big requests have sufficient length.

A client can send a big request where the 32B "length" field has value
0. When the big request header is removed and the length corrected,
the value will underflow to 0xFFFFFFFF.  Functions processing the
request later will think that the client sent much more data and may
touch memory beyond the receive buffer.
This commit is contained in:
matthieu 2017-10-14 09:17:40 +00:00
parent 9b9efb1bdf
commit fe08a081d8

View File

@ -480,6 +480,11 @@ ReadRequestFromClient(ClientPtr client)
if (++timesThisConnection >= MAX_TIMES_PER) if (++timesThisConnection >= MAX_TIMES_PER)
YieldControl(); YieldControl();
if (move_header) { if (move_header) {
if (client->req_len < bytes_to_int32(sizeof(xBigReq) - sizeof(xReq))) {
YieldControlDeath();
return -1;
}
request = (xReq *) oci->bufptr; request = (xReq *) oci->bufptr;
oci->bufptr += (sizeof(xBigReq) - sizeof(xReq)); oci->bufptr += (sizeof(xBigReq) - sizeof(xReq));
*(xReq *) oci->bufptr = *request; *(xReq *) oci->bufptr = *request;