WebServer: Fix OOB write (#4088)
Successful exploitation could lead to arbitrary code execution. The bug can be reproduced by running the following in a browser: ``` const formData = new FormData(); for (let i = 0;i < 33;++i) { formData.append("foo", i.toString()); } await fetch("http://esp.local", { method: 'POST', body: formData }); ```
This commit is contained in:
parent
2fd3d042b2
commit
494061af26
@ -356,9 +356,9 @@ bool WebServer::_parseForm(WiFiClient& client, String boundary, uint32_t len){
|
|||||||
client.readStringUntil('\n');
|
client.readStringUntil('\n');
|
||||||
//start reading the form
|
//start reading the form
|
||||||
if (line == ("--"+boundary)){
|
if (line == ("--"+boundary)){
|
||||||
if(_postArgs) delete[] _postArgs;
|
if(_postArgs) delete[] _postArgs;
|
||||||
_postArgs = new RequestArgument[WEBSERVER_MAX_POST_ARGS];
|
_postArgs = new RequestArgument[WEBSERVER_MAX_POST_ARGS];
|
||||||
_postArgsLen = 0;
|
_postArgsLen = 0;
|
||||||
while(1){
|
while(1){
|
||||||
String argName;
|
String argName;
|
||||||
String argValue;
|
String argValue;
|
||||||
@ -413,6 +413,9 @@ bool WebServer::_parseForm(WiFiClient& client, String boundary, uint32_t len){
|
|||||||
if (line == ("--"+boundary+"--")){
|
if (line == ("--"+boundary+"--")){
|
||||||
log_v("Done Parsing POST");
|
log_v("Done Parsing POST");
|
||||||
break;
|
break;
|
||||||
|
} else if (_postArgsLen >= WEBSERVER_MAX_POST_ARGS) {
|
||||||
|
log_e("Too many PostArgs (max: %d) in request.", WEBSERVER_MAX_POST_ARGS);
|
||||||
|
return false;
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
_currentUpload.reset(new HTTPUpload());
|
_currentUpload.reset(new HTTPUpload());
|
||||||
|
Loading…
Reference in New Issue
Block a user