58 lines
1.5 KiB
Diff
58 lines
1.5 KiB
Diff
From a83dae404feac517695c23ff43ce1e116e2bfbe0 Mon Sep 17 00:00:00 2001
|
|
From: Michael Catanzaro <mcatanzaro@gnome.org>
|
|
Date: Wed, 9 Sep 2020 11:12:02 -0500
|
|
Subject: [PATCH] Rewrite url::recvline to be nonrecursive
|
|
|
|
This function processes network input. It's semi-trusted, because the
|
|
PAC ought to be trusted. But we still shouldn't allow it to control how
|
|
far we recurse. A malicious PAC can cause us to overflow the stack by
|
|
sending a sufficiently-long line without any '\n' character.
|
|
|
|
Also, this function failed to properly handle EINTR, so let's fix that
|
|
too, for good measure.
|
|
|
|
Fixes #134
|
|
---
|
|
libproxy/url.cpp | 28 ++++++++++++++++++----------
|
|
1 file changed, 18 insertions(+), 10 deletions(-)
|
|
|
|
diff --git a/libproxy/url.cpp b/libproxy/url.cpp
|
|
index ee776b2..68d69cd 100644
|
|
--- a/libproxy/url.cpp
|
|
+++ b/libproxy/url.cpp
|
|
@@ -388,16 +388,24 @@ string url::to_string() const {
|
|
return m_orig;
|
|
}
|
|
|
|
-static inline string recvline(int fd) {
|
|
- // Read a character.
|
|
- // If we don't get a character, return empty string.
|
|
- // If we are at the end of the line, return empty string.
|
|
- char c = '\0';
|
|
-
|
|
- if (recv(fd, &c, 1, 0) != 1 || c == '\n')
|
|
- return "";
|
|
-
|
|
- return string(1, c) + recvline(fd);
|
|
+static string recvline(int fd) {
|
|
+ string line;
|
|
+ int ret;
|
|
+
|
|
+ // Reserve arbitrary amount of space to avoid small memory reallocations.
|
|
+ line.reserve(128);
|
|
+
|
|
+ do {
|
|
+ char c;
|
|
+ ret = recv(fd, &c, 1, 0);
|
|
+ if (ret == 1) {
|
|
+ if (c == '\n')
|
|
+ return line;
|
|
+ line += c;
|
|
+ }
|
|
+ } while (ret == 1 || (ret == -1 && errno == EINTR));
|
|
+
|
|
+ return line;
|
|
}
|
|
|
|
char* url::get_pac() {
|