From ba89136fd53c3008cf014501bf1e741939932b4b Mon Sep 17 00:00:00 2001 From: John Burke Date: Tue, 21 Sep 2021 20:33:18 -0500 Subject: [PATCH] compression: fix overflow when hdr_field contains sanitized body When rebuilding headers for compaction, we cannot shortcut non-compacted headers at assembly time by using raw hdr_field.len for a few reasons: (1) calculated compact buffer len is based on hdr_field.body not hdr_field.len, (2) hdr_field.body is sanitized and may have adjusted len. --- modules/compression/compression.c | 39 +++++++++++-------------------- 1 file changed, 13 insertions(+), 26 deletions(-) diff --git a/modules/compression/compression.c b/modules/compression/compression.c index 9f3a9547c0a..2123512c5b1 100644 --- a/modules/compression/compression.c +++ b/modules/compression/compression.c @@ -91,7 +91,6 @@ #define WORD(p) (*(p + 0) + (*(p + 1) << 8)) #define DWORD(p) (*(p+0) + (*(p+1) << 8) + (*(p+2) << 16) + (*(p+3) << 24)) -#define LOWER_CASE(p) (*(p) & 0x20) #define BUFLEN 4096 #define COMPACT_FORMS "cfiklmstvx" @@ -844,31 +843,19 @@ static int mc_compact_cb(char** buf_p, mc_whitelist_p wh_list, int type, int* ol i = HDR_OTHER_T; again: if (hdr_mask[i]) { - /* Compact form name so the header have - to be built */ - if (LOWER_CASE(hdr_mask[i]->name.s)) { - /* Copy the name of the header */ - wrap_copy_and_update(&new_buf.s, - hdr_mask[i]->name.s, - hdr_mask[i]->name.len, &new_buf.len); - - /* Copy the ': ' delimiter*/ - wrap_copy_and_update(&new_buf.s, DELIM, - DELIM_LEN, &new_buf.len); - /* Copy the first field of the header*/ - wrap_copy_and_update(&new_buf.s, - hdr_mask[i]->body.s, - hdr_mask[i]->body.len, &new_buf.len); - /* Normal form header so it can be copied in one step */ - } else { - wrap_copy_and_update( - &new_buf.s, - hdr_mask[i]->name.s, - /* Possible siblings. No CRLF yet */ - hdr_mask[i]->len - CRLF_LEN, - &new_buf.len - ); - } + /* Copy the name of the header */ + wrap_copy_and_update(&new_buf.s, + hdr_mask[i]->name.s, + hdr_mask[i]->name.len, &new_buf.len); + + /* Copy the ': ' delimiter*/ + wrap_copy_and_update(&new_buf.s, DELIM, + DELIM_LEN, &new_buf.len); + + /* Copy the first field of the header*/ + wrap_copy_and_update(&new_buf.s, + hdr_mask[i]->body.s, + hdr_mask[i]->body.len, &new_buf.len); /* Copy the rest of the header fields(siblings) if they exist */