From 2ce741fe0f7335dd8a6ca787d3ad95748e0f8d2f Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Tue, 25 Aug 2015 00:17:00 +0300 Subject: [PATCH] WPS: Fix HTTP body length check Commit 7da4f4b4991c85f1122a4591d8a4b7dd3bd12b4e ('WPS: Check maximum HTTP body length earlier in the process') added too strict check for body length allocation. The comparison of new_alloc_nbytes against h->max_bytes did not take into account that HTTPREAD_BODYBUF_DELTA was added to previous allocation even if that ended up going beyond h->max_bytes. This ended up rejecting some valid HTTP operations, e.g., when checking AP response to WPS ER setting selected registrar. Fix this by taking HTTPREAD_BODYBUF_DELTA into account. Signed-off-by: Jouni Malinen --- src/wps/httpread.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/src/wps/httpread.c b/src/wps/httpread.c index 180b572c1..d6c2b62ae 100644 --- a/src/wps/httpread.c +++ b/src/wps/httpread.c @@ -506,10 +506,13 @@ static void httpread_read_handler(int sd, void *eloop_ctx, void *sock_ctx) new_alloc_nbytes < (h->content_length + 1)) new_alloc_nbytes = h->content_length + 1; if (new_alloc_nbytes < h->body_alloc_nbytes || - new_alloc_nbytes > h->max_bytes) { + new_alloc_nbytes > h->max_bytes + + HTTPREAD_BODYBUF_DELTA) { wpa_printf(MSG_DEBUG, - "httpread: Unacceptable body length %d", - new_alloc_nbytes); + "httpread: Unacceptable body length %d (body_alloc_nbytes=%u max_bytes=%u)", + new_alloc_nbytes, + h->body_alloc_nbytes, + h->max_bytes); goto bad; } if ((new_body = os_realloc(h->body, new_alloc_nbytes))