diff options
author | Michael Catanzaro <mcatanzaro@gnome.org> | 2020-09-09 11:12:02 -0500 |
---|---|---|
committer | Michael Catanzaro <mcatanzaro@gnome.org> | 2020-09-09 11:22:26 -0500 |
commit | a83dae404feac517695c23ff43ce1e116e2bfbe0 (patch) | |
tree | 117708b164a783809e316f058e758653d2d80164 | |
parent | 95b75af462541838194d3b5f96374184ed6cc181 (diff) | |
download | libproxy-git-a83dae404feac517695c23ff43ce1e116e2bfbe0.tar.gz |
Rewrite url::recvline to be nonrecursive
This function processes network input. It's semi-trusted, because the
PAC ought to be trusted. But we still shouldn't allow it to control how
far we recurse. A malicious PAC can cause us to overflow the stack by
sending a sufficiently-long line without any '\n' character.
Also, this function failed to properly handle EINTR, so let's fix that
too, for good measure.
Fixes #134
-rw-r--r-- | libproxy/url.cpp | 28 |
1 files changed, 18 insertions, 10 deletions
diff --git a/libproxy/url.cpp b/libproxy/url.cpp index ee776b2..68d69cd 100644 --- a/libproxy/url.cpp +++ b/libproxy/url.cpp @@ -388,16 +388,24 @@ string url::to_string() const { return m_orig; } -static inline string recvline(int fd) { - // Read a character. - // If we don't get a character, return empty string. - // If we are at the end of the line, return empty string. - char c = '\0'; - - if (recv(fd, &c, 1, 0) != 1 || c == '\n') - return ""; - - return string(1, c) + recvline(fd); +static string recvline(int fd) { + string line; + int ret; + + // Reserve arbitrary amount of space to avoid small memory reallocations. + line.reserve(128); + + do { + char c; + ret = recv(fd, &c, 1, 0); + if (ret == 1) { + if (c == '\n') + return line; + line += c; + } + } while (ret == 1 || (ret == -1 && errno == EINTR)); + + return line; } char* url::get_pac() { |