From 494061af264c40141981ab3ac6c298488b6b86a4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Emil=20Sandst=C3=B8?= <emilalexer@hotmail.com>
Date: Wed, 30 Sep 2020 14:28:28 +0200
Subject: [PATCH] WebServer: Fix OOB write (#4088)

Successful exploitation could lead to arbitrary code execution.

The bug can be reproduced by running the following in a browser:
```
const formData = new FormData();
for (let i = 0;i < 33;++i) { formData.append("foo", i.toString()); }
await fetch("http://esp.local", { method: 'POST', body: formData });
```
---
 libraries/WebServer/src/Parsing.cpp | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/libraries/WebServer/src/Parsing.cpp b/libraries/WebServer/src/Parsing.cpp
index e2e9cc43..252e946d 100644
--- a/libraries/WebServer/src/Parsing.cpp
+++ b/libraries/WebServer/src/Parsing.cpp
@@ -356,9 +356,9 @@ bool WebServer::_parseForm(WiFiClient& client, String boundary, uint32_t len){
   client.readStringUntil('\n');
   //start reading the form
   if (line == ("--"+boundary)){
-	 if(_postArgs) delete[] _postArgs;
-	 _postArgs = new RequestArgument[WEBSERVER_MAX_POST_ARGS];
-     _postArgsLen = 0;
+   if(_postArgs) delete[] _postArgs;
+    _postArgs = new RequestArgument[WEBSERVER_MAX_POST_ARGS];
+    _postArgsLen = 0;
     while(1){
       String argName;
       String argValue;
@@ -413,6 +413,9 @@ bool WebServer::_parseForm(WiFiClient& client, String boundary, uint32_t len){
             if (line == ("--"+boundary+"--")){
               log_v("Done Parsing POST");
               break;
+            } else if (_postArgsLen >= WEBSERVER_MAX_POST_ARGS) {
+              log_e("Too many PostArgs (max: %d) in request.", WEBSERVER_MAX_POST_ARGS);
+              return false;
             }
           } else {
             _currentUpload.reset(new HTTPUpload());