WPS: Fix HTTP body length check

Commit 7da4f4b499 ('WPS: Check maximum
HTTP body length earlier in the process') added too strict check for
body length allocation. The comparison of new_alloc_nbytes against
h->max_bytes did not take into account that HTTPREAD_BODYBUF_DELTA was
added to previous allocation even if that ended up going beyond
h->max_bytes. This ended up rejecting some valid HTTP operations, e.g.,
when checking AP response to WPS ER setting selected registrar.

Fix this by taking HTTPREAD_BODYBUF_DELTA into account.

Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
Jouni Malinen 2015-08-25 00:17:00 +03:00
parent 20f331b707
commit 2ce741fe0f

View file

@ -506,10 +506,13 @@ static void httpread_read_handler(int sd, void *eloop_ctx, void *sock_ctx)
new_alloc_nbytes < (h->content_length + 1)) new_alloc_nbytes < (h->content_length + 1))
new_alloc_nbytes = h->content_length + 1; new_alloc_nbytes = h->content_length + 1;
if (new_alloc_nbytes < h->body_alloc_nbytes || if (new_alloc_nbytes < h->body_alloc_nbytes ||
new_alloc_nbytes > h->max_bytes) { new_alloc_nbytes > h->max_bytes +
HTTPREAD_BODYBUF_DELTA) {
wpa_printf(MSG_DEBUG, wpa_printf(MSG_DEBUG,
"httpread: Unacceptable body length %d", "httpread: Unacceptable body length %d (body_alloc_nbytes=%u max_bytes=%u)",
new_alloc_nbytes); new_alloc_nbytes,
h->body_alloc_nbytes,
h->max_bytes);
goto bad; goto bad;
} }
if ((new_body = os_realloc(h->body, new_alloc_nbytes)) if ((new_body = os_realloc(h->body, new_alloc_nbytes))