Use dynamically allocated heap allocated buffers in

HTTP_InterpretHTTPHeader to avoid buffer overflow on large headers.

Use dynamically allocated heap allocated buffers in
b72a6827 · Robert Shearman · Alexandre Julliard · 12df80a7 · b72a6827
Commit b72a6827 authored Sep 23, 2004 by Robert Shearman Committed by Alexandre Julliard Sep 23, 2004
Hide whitespace changes
Inline Side-by-side

Showing with 73 additions and 52 deletions

http.c dlls/wininet/http.c +73 -52

No files found.
--- a/dlls/wininet/http.c
+++ b/dlls/wininet/http.c
@@ -93,7 +93,7 @@ BOOL HTTP_GetResponseHeaders(LPWININETHTTPREQW lpwhr);
 BOOL HTTP_ProcessHeader(LPWININETHTTPREQW lpwhr, LPCWSTR field, LPCWSTR value, DWORD dwModifier);
 BOOL HTTP_ReplaceHeaderValue( LPHTTPHEADERW lphttpHdr, LPCWSTR lpsztmp );
 void HTTP_CloseConnection(LPWININETHTTPREQW lpwhr);
-BOOL HTTP_InterpretHttpHeader(LPWSTR buffer, LPWSTR field, INT fieldlen, LPWSTR value, INT valuelen);
+LPWSTR * HTTP_InterpretHttpHeader(LPCWSTR buffer);
 INT HTTP_GetStdHeaderIndex(LPCWSTR lpszField);
 BOOL HTTP_InsertCustomHeader(LPWININETHTTPREQW lpwhr, LPHTTPHEADERW lpHdr);
 INT HTTP_GetCustomHeaderIndex(LPWININETHTTPREQW lpwhr, LPCWSTR lpszField);
@@ -168,7 +168,6 @@ static BOOL WINAPI HTTP_HttpAddRequestHeadersW(LPWININETHTTPREQW lpwhr,
    LPWSTR lpszStart;
    LPWSTR lpszEnd;
    LPWSTR buffer;
-    WCHAR value[MAX_FIELD_VALUE_LEN], field[MAX_FIELD_LEN];
    BOOL bSuccess = FALSE;
    DWORD len;
@@ -186,6 +185,8 @@ static BOOL WINAPI HTTP_HttpAddRequestHeadersW(LPWININETHTTPREQW lpwhr,
    do
    {
+        LPWSTR * pFieldAndValue;
        lpszEnd = lpszStart;
        while (*lpszEnd != '\0')
@@ -204,11 +205,15 @@ static BOOL WINAPI HTTP_HttpAddRequestHeadersW(LPWININETHTTPREQW lpwhr,
            lpszEnd += 2; /* Jump over \r\n */
        }
        TRACE("interpreting header %s\n", debugstr_w(lpszStart));
-        if (HTTP_InterpretHttpHeader(lpszStart, field, MAX_FIELD_LEN, value, MAX_FIELD_VALUE_LEN))
+        pFieldAndValue = HTTP_InterpretHttpHeader(lpszStart);
-            bSuccess = HTTP_ProcessHeader(lpwhr, field, value, dwModifier | HTTP_ADDHDR_FLAG_REQ);
+        if (pFieldAndValue)
+        {
+            bSuccess = HTTP_ProcessHeader(lpwhr, pFieldAndValue[0],
+                pFieldAndValue[1], dwModifier | HTTP_ADDHDR_FLAG_REQ);
+            HTTP_FreeTokens(pFieldAndValue);
+        }
        lpszStart = lpszEnd;
    } while (bSuccess);
    HeapFree(GetProcessHeap(), 0, buffer);
@@ -1981,7 +1986,6 @@ BOOL HTTP_GetResponseHeaders(LPWININETHTTPREQW lpwhr)
    DWORD buflen = MAX_REPLY_LEN;
    BOOL bSuccess = FALSE;
    INT  rc = 0;
-    WCHAR value[MAX_FIELD_VALUE_LEN], field[MAX_FIELD_LEN];
    static const WCHAR szCrLf[] = {'\r','\n',0};
    char bufferA[MAX_REPLY_LEN];
    LPWSTR status_code, status_text;
@@ -2046,7 +2050,9 @@ BOOL HTTP_GetResponseHeaders(LPWININETHTTPREQW lpwhr)
    {
 	buflen = MAX_REPLY_LEN;
        if (NETCON_getNextLine(&lpwhr->netConnection, bufferA, &buflen))
-	{
+        {
+            LPWSTR * pFieldAndValue;
            TRACE("got line %s, now interpretting\n", debugstr_a(bufferA));
            MultiByteToWideChar( CP_ACP, 0, bufferA, buflen, buffer, MAX_REPLY_LEN );
@@ -2061,10 +2067,14 @@ BOOL HTTP_GetResponseHeaders(LPWININETHTTPREQW lpwhr)
            cchRawHeaders += sizeof(szCrLf)/sizeof(szCrLf[0])-1;
            lpszRawHeaders[cchRawHeaders] = '\0';
-            if (!HTTP_InterpretHttpHeader(buffer, field, MAX_FIELD_LEN, value, MAX_FIELD_VALUE_LEN))
+            pFieldAndValue = HTTP_InterpretHttpHeader(buffer);
+            if (!pFieldAndValue)
                break;
-            HTTP_ProcessHeader(lpwhr, field, value, (HTTP_ADDREQ_FLAG_ADD | HTTP_ADDREQ_FLAG_REPLACE));
+            HTTP_ProcessHeader(lpwhr, pFieldAndValue[0], pFieldAndValue[1], 
+                HTTP_ADDREQ_FLAG_ADD | HTTP_ADDREQ_FLAG_REPLACE);
+            HTTP_FreeTokens(pFieldAndValue);
 	}
 	else
 	{
@@ -2089,6 +2099,26 @@ lend:
 }
+static void strip_spaces(LPWSTR start)
+{
+    LPWSTR str = start;
+    LPWSTR end;
+    while (*str == ' ' && *str != '\0')
+        str++;
+    if (str != start)
+        memmove(start, str, sizeof(WCHAR) * (strlenW(str) + 1));
+    end = start + strlenW(start) - 1;
+    while (end >= start && *end == ' ')
+    {
+        *end = '\0';
+        end--;
+    }
+}
 /***********************************************************************
 *           HTTP_InterpretHttpHeader (internal)
 *
@@ -2096,59 +2126,50 @@ lend:
 *
 * RETURNS
 *
- *   TRUE  on success
+ *   Pointer to array of field, value, NULL on success.
- *   FALSE on error
+ *   NULL on error.
 */
-static INT stripSpaces(LPCWSTR lpszSrc, LPWSTR lpszStart, INT *len)
+LPWSTR * HTTP_InterpretHttpHeader(LPCWSTR buffer)
 {
-    LPCWSTR lpsztmp;
+    LPWSTR * pTokenPair;
-    INT srclen;
+    LPWSTR pszColon;
+    INT len;
-    srclen = 0;
-    while (*lpszSrc == ' ' && *lpszSrc != '\0')
+    pTokenPair = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, sizeof(*pTokenPair)*3);
-	lpszSrc++;
-    lpsztmp = lpszSrc;
+    pszColon = strchrW(buffer, ':');
-    while(*lpsztmp != '\0')
+    /* must have two tokens */
+    if (!pszColon)
    {
-        if (*lpsztmp != ' ')
+        HTTP_FreeTokens(pTokenPair);
-	    srclen = lpsztmp - lpszSrc + 1;
+        return NULL;
-	lpsztmp++;
    }
-    *len = min(*len, srclen);
+    pTokenPair[0] = HeapAlloc(GetProcessHeap(), 0, (pszColon - buffer + 1) * sizeof(WCHAR));
-    strncpyW(lpszStart, lpszSrc, *len);
+    if (!pTokenPair[0])
-    lpszStart[*len] = '\0';
+    {
+        HTTP_FreeTokens(pTokenPair);
-    return *len;
+        return NULL;
-}
+    }
+    memcpy(pTokenPair[0], buffer, (pszColon - buffer) * sizeof(WCHAR));
+    pTokenPair[0][pszColon - buffer] = '\0';
-BOOL HTTP_InterpretHttpHeader(LPWSTR buffer, LPWSTR field, INT fieldlen, LPWSTR value, INT valuelen)
-{
-    WCHAR *pd;
-    BOOL bSuccess = FALSE;
-    TRACE("\n");
-    *field = '\0';
-    *value = '\0';
-    pd = strchrW(buffer, ':');
+    /* skip colon */
-    if (pd)
+    pszColon++;
+    len = strlenW(pszColon);
+    pTokenPair[1] = HeapAlloc(GetProcessHeap(), 0, (len + 1) * sizeof(WCHAR));
+    if (!pTokenPair[1])
    {
-	*pd = '\0';
+        HTTP_FreeTokens(pTokenPair);
-	if (stripSpaces(buffer, field, &fieldlen) > 0)
+        return NULL;
-	{
-	    if (stripSpaces(pd+1, value, &valuelen) > 0)
-		bSuccess = TRUE;
-	}
    }
+    memcpy(pTokenPair[1], pszColon, (len + 1) * sizeof(WCHAR));
-    TRACE("%d: field(%s) Value(%s)\n", bSuccess, debugstr_w(field), debugstr_w(value));
+    strip_spaces(pTokenPair[0]);
-    return bSuccess;
+    strip_spaces(pTokenPair[1]);
+    TRACE("field(%s) Value(%s)\n", debugstr_w(pTokenPair[0]), debugstr_w(pTokenPair[1]));
+    return pTokenPair;
 }
@@ -2530,7 +2551,7 @@ INT HTTP_GetCustomHeaderIndex(LPWININETHTTPREQW lpwhr, LPCWSTR lpszField)
    if (index >= lpwhr->nCustHeaders)
 	index = -1;
-    TRACE("Return: %lu\n", index);
+    TRACE("Return: %ld\n", index);
    return index;
 }