diff --git a/lib/parsers.c b/lib/parsers.c index aa99a44e..fca08514 100644 --- a/lib/parsers.c +++ b/lib/parsers.c @@ -185,16 +185,27 @@ static int issue_char(struct libwebsocket *wsi, unsigned char c) return -1; } - if( wsi->u.hdr.ah->frags[wsi->u.hdr.ah->next_frag_index].len >= + if (wsi->u.hdr.ah->frags[wsi->u.hdr.ah->next_frag_index].len >= wsi->u.hdr.current_token_limit) { lwsl_warn("header %i exceeds limit\n", wsi->u.hdr.parser_state); return 1; - }; + } wsi->u.hdr.ah->data[wsi->u.hdr.ah->pos++] = c; if (c) wsi->u.hdr.ah->frags[wsi->u.hdr.ah->next_frag_index].len++; + /* Insert a null character when we *hit* the limit: */ + if (wsi->u.hdr.ah->frags[wsi->u.hdr.ah->next_frag_index].len == wsi->u.hdr.current_token_limit) { + if (wsi->u.hdr.ah->pos == sizeof(wsi->u.hdr.ah->data)) { + lwsl_warn("excessive header content 2\n"); + return -1; + } + wsi->u.hdr.ah->data[wsi->u.hdr.ah->pos++] = '\0'; + lwsl_warn("header %i exceeds limit %d\n", + wsi->u.hdr.parser_state, wsi->u.hdr.current_token_limit); + } + return 0; } @@ -294,6 +305,8 @@ int libwebsocket_parse( switch (wsi->u.hdr.ups) { case URIPS_IDLE: + if (!c) + return -1; /* issue the first / always */ if (c == '/') wsi->u.hdr.ups = URIPS_SEEN_SLASH; @@ -356,7 +369,8 @@ int libwebsocket_parse( if (c == '?') { /* start of URI arguments */ /* seal off uri header */ - wsi->u.hdr.ah->data[wsi->u.hdr.ah->pos++] = '\0'; + if (issue_char(wsi, '\0') < 0) + return -1; /* move to using WSI_TOKEN_HTTP_URI_ARGS */ wsi->u.hdr.ah->next_frag_index++; @@ -504,13 +518,8 @@ start_fragment: wsi->u.hdr.ah->frags[n].next_frag_index = wsi->u.hdr.ah->next_frag_index; - if (wsi->u.hdr.ah->pos == sizeof(wsi->u.hdr.ah->data)) { - lwsl_warn("excessive header content\n"); + if (issue_char(wsi, ' ') < 0) return -1; - } - - wsi->u.hdr.ah->data[wsi->u.hdr.ah->pos++] = ' '; - wsi->u.hdr.ah->frags[wsi->u.hdr.ah->next_frag_index].len++; break; /* skipping arg part of a name we didn't recognize */ @@ -820,7 +829,7 @@ handle_first: return 1; } - if (wsi->u.ws.rx_ubuf_head + LWS_PRE >= wsi->u.ws.rx_ubuf_alloc) { + if (wsi->u.ws.rx_user_buffer_head + LWS_SEND_BUFFER_PRE_PADDING >= wsi->u.ws.rx_ubuf_alloc) { lwsl_err("Attempted overflow\n"); return -1; }