Description: Fix incorrect bounds check when reading request headers
Author: Emmanuel Bouthenot <kolter@debian.org>
Bug-Debian: https://bugs.debian.org/702667
Forwarded: no
Last-Update: 2019-02-18
---
This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
--- a/req.h
+++ b/req.h
@@ -1,5 +1,7 @@
 #define HAD_REQ_H
 
+#define MAX_HEADERS 32
+
 struct clinfo {
 	char            name[128];
 	char            ip[128];
@@ -21,7 +23,7 @@
 	char            tstamp[32];
 	char            ctype[32];
 
-	char           *header[32];
+	char           *header[MAX_HEADERS];
 
 	char            fname[256];
 	char            lname[257];
--- a/request.c
+++ b/request.c
@@ -189,7 +189,7 @@
 	char           *b, *p;
 
 	i = 0;
-	while ((len = getline(cl, buf, sizeof(buf))) > 0 && i < sizeof(r->header) - 1) {
+	while ((len = getline(cl, buf, sizeof(buf))) > 0 && i < MAX_HEADERS - 1) {
 		b = buf;
 		while (isspace((int) *b) && *(b++) != '\0');
 		if (*b == '\0')
@@ -210,7 +210,7 @@
 	}
 	r->header[i] = NULL;
 
-	if (i >= sizeof(r->header) - 1)
+	if (i >= MAX_HEADERS - 1)
 		return 1;
 
 	return 0;
@@ -493,7 +493,7 @@
 	}
 	if (r->type != CONNECT) {
 		i = 0;
-		while ((len = getline(s, buf, sizeof(buf))) > 0 && i < sizeof(r->header) - 1) {
+		while ((len = getline(s, buf, sizeof(buf))) > 0 && i < MAX_HEADERS - 1) {
 			DEBUG(("do_request() => got remote header line: (%s)", buf));
 			r->header[i] = (char *) my_alloc(len + 1);
 			(void) strcpy(r->header[i++], buf);
--- a/filter.c
+++ b/filter.c
@@ -56,7 +56,7 @@
 
 	i = 0;
 start_over:
-	while (r->header[i] != NULL && i < sizeof(r->header) - 2) {
+	while (r->header[i] != NULL && i < MAX_HEADERS - 2) {
 		DEBUG(("filter_request() => header entry %d (%s)", i, r->header[i]));
 
 		if (strncasecmp(r->header[i], loop_header, strlen(loop_header)) == 0) {
@@ -104,7 +104,7 @@
 
 	i++;
 	j = 0;
-	while (f_hdr_add[j] != NULL && i < sizeof(r->header) - 1) {
+	while (f_hdr_add[j] != NULL && i < MAX_HEADERS - 1) {
 		r->header[i] = (char *) my_alloc(strlen(f_hdr_add[j]) + 1);
 		(void) strcpy(r->header[i], f_hdr_add[j]);
 
@@ -166,7 +166,7 @@
 		i++;
 
 	}
-	if(r->kalive && i - 2 < sizeof(r->header)) {
+	if(r->kalive && i - 2 < MAX_HEADERS) {
 		r->header[i] = (char *) my_alloc(strlen(http_pkalive) + 1);
 		(void) strcpy(r->header[i], http_pkalive);
 		r->header[++i] = (char *) my_alloc(strlen(http_kalive) + 1);
