diff --git a/lib/parsers.c b/lib/parsers.c index 17059af8..67a809ca 100644 --- a/lib/parsers.c +++ b/lib/parsers.c @@ -334,6 +334,10 @@ static int issue_char(struct lws *wsi, unsigned char c) /* Insert a null character when we *hit* the limit: */ if (frag_len == wsi->u.hdr.current_token_limit) { + if (wsi->u.hdr.ah->pos == wsi->context->max_http_header_data) { + lwsl_warn("excessive header content 2\n"); + return -1; + } wsi->u.hdr.ah->data[wsi->u.hdr.ah->pos++] = '\0'; lwsl_warn("header %i exceeds limit %d\n", wsi->u.hdr.parser_state, wsi->u.hdr.current_token_limit); @@ -439,9 +443,12 @@ int lws_parse(struct lws *wsi, unsigned char c) switch (wsi->u.hdr.ups) { case URIPS_IDLE: + if (!c) + return -1; /* genuine delimiter */ if ((c == '&' || c == ';') && !enc) { - issue_char(wsi, c); + if (issue_char(wsi, c) < 0) + return -1; /* swallow the terminator */ ah->frags[ah->nfrag].len--; /* link to next fragment */ @@ -528,7 +535,8 @@ int lws_parse(struct lws *wsi, unsigned char c) if (c == '?' && !enc && !ah->frag_index[WSI_TOKEN_HTTP_URI_ARGS]) { /* start of URI arguments */ /* seal off uri header */ - ah->data[ah->pos++] = '\0'; + if (issue_char(wsi, '\0') < 0) + return -1; /* move to using WSI_TOKEN_HTTP_URI_ARGS */ ah->nfrag++; @@ -669,13 +677,8 @@ excessive: n = ah->frags[n].nfrag; ah->frags[n].nfrag = ah->nfrag; - if (ah->pos == wsi->context->max_http_header_data) { - lwsl_warn("excessive header content\n"); + if (issue_char(wsi, ' ') < 0) return -1; - } - - ah->data[ah->pos++] = ' '; - ah->frags[ah->nfrag].len++; break; /* skipping arg part of a name we didn't recognize */