diff --git a/lib/parsers.c b/lib/parsers.c index e08f4f6c..0c89cd97 100644 --- a/lib/parsers.c +++ b/lib/parsers.c @@ -235,6 +235,10 @@ static int issue_char(struct lws *wsi, unsigned char c) /* Insert a null character when we *hit* the limit: */ if (frag_len == wsi->u.hdr.current_token_limit) { + if (wsi->u.hdr.ah->pos == sizeof(wsi->u.hdr.ah->data)) { + lwsl_warn("excessive header content 2\n"); + return -1; + } wsi->u.hdr.ah->data[wsi->u.hdr.ah->pos++] = '\0'; lwsl_warn("header %i exceeds limit\n", wsi->u.hdr.parser_state); @@ -340,9 +344,12 @@ int lws_parse(struct lws *wsi, unsigned char c) switch (wsi->u.hdr.ups) { case URIPS_IDLE: + if (!c) + return -1; /* genuine delimiter */ if ((c == '&' || c == ';') && !enc) { - issue_char(wsi, c); + if (issue_char(wsi, c) < 0) + return 1; /* swallow the terminator */ ah->frags[ah->nfrag].len--; /* link to next fragment */ @@ -429,7 +436,8 @@ int lws_parse(struct lws *wsi, unsigned char c) if (c == '?' && !enc && !ah->frag_index[WSI_TOKEN_HTTP_URI_ARGS]) { /* start of URI arguments */ /* seal off uri header */ - ah->data[ah->pos++] = '\0'; + if (issue_char(wsi, '\0') < 0) + return -1; /* move to using WSI_TOKEN_HTTP_URI_ARGS */ ah->nfrag++; @@ -568,14 +576,8 @@ excessive: while (ah->frags[n].nfrag) n = ah->frags[n].nfrag; ah->frags[n].nfrag = ah->nfrag; - - if (ah->pos == sizeof(ah->data)) { - lwsl_warn("excessive header content\n"); + if (issue_char(wsi, ' ') < 0) return -1; - } - - ah->data[ah->pos++] = ' '; - ah->frags[ah->nfrag].len++; break; /* skipping arg part of a name we didn't recognize */