WebServer: Fix OOB write (#4088)

Successful exploitation could lead to arbitrary code execution.

The bug can be reproduced by running the following in a browser:
```
const formData = new FormData();
for (let i = 0;i < 33;++i) { formData.append("foo", i.toString()); }
await fetch("http://esp.local", { method: 'POST', body: formData });
```
This commit is contained in:
Emil Sandstø 2020-09-30 14:28:28 +02:00 committed by GitHub
parent 2fd3d042b2
commit 494061af26
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -356,9 +356,9 @@ bool WebServer::_parseForm(WiFiClient& client, String boundary, uint32_t len){
client.readStringUntil('\n'); client.readStringUntil('\n');
//start reading the form //start reading the form
if (line == ("--"+boundary)){ if (line == ("--"+boundary)){
if(_postArgs) delete[] _postArgs; if(_postArgs) delete[] _postArgs;
_postArgs = new RequestArgument[WEBSERVER_MAX_POST_ARGS]; _postArgs = new RequestArgument[WEBSERVER_MAX_POST_ARGS];
_postArgsLen = 0; _postArgsLen = 0;
while(1){ while(1){
String argName; String argName;
String argValue; String argValue;
@ -413,6 +413,9 @@ bool WebServer::_parseForm(WiFiClient& client, String boundary, uint32_t len){
if (line == ("--"+boundary+"--")){ if (line == ("--"+boundary+"--")){
log_v("Done Parsing POST"); log_v("Done Parsing POST");
break; break;
} else if (_postArgsLen >= WEBSERVER_MAX_POST_ARGS) {
log_e("Too many PostArgs (max: %d) in request.", WEBSERVER_MAX_POST_ARGS);
return false;
} }
} else { } else {
_currentUpload.reset(new HTTPUpload()); _currentUpload.reset(new HTTPUpload());