From abb109441dbe90bac545ddb98097a443b4a46ca4 Mon Sep 17 00:00:00 2001 From: Florian Larysch Date: Sat, 7 Sep 2024 21:13:54 +0200 Subject: [PATCH] store-http: check decode_buffer_absorb return value decode_buffer_absorb can fail when it has to resize the buffer. In that case, it will drop the incoming data and the current transfer can't meaningfully continue. Make store_http_data_cb check the return value so that it will immediately abort the transfer in such a situation. --- store-http.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/store-http.c b/store-http.c index 19e3fad..e28e64c 100644 --- a/store-http.c +++ b/store-http.c @@ -63,8 +63,11 @@ static int decode_buffer_absorb(struct store_http *hs, uint8_t *data, size_t len size_t new_size; new_size = hs->decode_buffer_size + len; - if (new_size < hs->decode_buffer_size) + if (new_size < hs->decode_buffer_size) { + u_log(ERR, "incrementing decode buffer size %zu by %zu overflows", + hs->decode_buffer_size, len); return -1; + } new_buf = realloc(hs->decode_buffer, new_size); if (!new_buf) { @@ -161,7 +164,8 @@ static size_t store_http_data_cb(char *ptr, size_t size, size_t nmemb, void *use ssize_t ret; if (ctx->hs->decode_buffer_fill) { - decode_buffer_absorb(ctx->hs, (uint8_t*)ptr, nmemb); + if (decode_buffer_absorb(ctx->hs, (uint8_t*)ptr, nmemb) < 0) + goto fail; ret = handle_data(ctx, ctx->hs->decode_buffer, ctx->hs->decode_buffer_fill); if (ret < 0) @@ -177,7 +181,8 @@ static size_t store_http_data_cb(char *ptr, size_t size, size_t nmemb, void *use } else if ((size_t)ret < nmemb) { // if we haven't used up all the data we were given, push it // into the buffer for the next time around - decode_buffer_absorb(ctx->hs, (uint8_t*)&ptr[ret], nmemb - ret); + if (decode_buffer_absorb(ctx->hs, (uint8_t*)&ptr[ret], nmemb - ret) < 0) + goto fail; } }