/cpw/tomkiewicz/http: ab563d4c927a: Don't eat resources with mal...

[Tomasz Wasilczyk]

Changeset: ab563d4c927a3ccbfa0dfd481ab0e40aa6b2fc76
Author:	 Tomasz Wasilczyk <tomkiewicz at cpw.pidgin.im>
Date:	 2012-10-16 12:55 +0200
Branch:	 default
URL: http://hg.pidgin.im/cpw/tomkiewicz/http/rev/ab563d4c927a

Description:

Don't eat resources with malicious http server

diffstat:

 libpurple/http.c |  19 +++++++++++++++++--
 1 files changed, 17 insertions(+), 2 deletions(-)

diffs (43 lines):

diff --git a/libpurple/http.c b/libpurple/http.c
--- a/libpurple/http.c
+++ b/libpurple/http.c
@@ -30,6 +30,7 @@
 #include "debug.h"
 
 #define PURPLE_HTTP_URL_CREDENTIALS_CHARS "a-z0-9.,~_/*!&%?=+\\^-"
+#define PURPLE_HTTP_MAX_RECV_BUFFER_LEN 10240
 
 typedef struct _PurpleHttpURL PurpleHttpURL;
 
@@ -340,7 +341,14 @@ static gboolean _purple_http_recv_header
 		return FALSE;
 	}
 
-	g_string_append_len(hc->response_buffer, buf, len); //TODO: check max buffer length, not to raise to infinity
+	g_string_append_len(hc->response_buffer, buf, len);
+	if (hc->response_buffer->len > PURPLE_HTTP_MAX_RECV_BUFFER_LEN) {
+		purple_debug_error("http",
+			"Buffer too big when parsing headers\n");
+		_purple_http_error(hc, _("Error parsing HTTP"));
+		return FALSE;
+	}
+
 	while ((eol = strstr(hc->response_buffer->str, "\r\n"))
 		!= NULL) {
 		gchar *hdrline = hc->response_buffer->str;
@@ -414,7 +422,14 @@ static gboolean _purple_http_recv_body_c
 	if (!hc->response_buffer)
 		hc->response_buffer = g_string_new("");
 
-	g_string_append_len(hc->response_buffer, buf, len); //TODO: check max buffer length, not to raise to infinity
+	g_string_append_len(hc->response_buffer, buf, len);
+	if (hc->response_buffer->len > PURPLE_HTTP_MAX_RECV_BUFFER_LEN) {
+		purple_debug_error("http",
+			"Buffer too big when searching for chunk\n");
+		_purple_http_error(hc, _("Error parsing HTTP"));
+		return FALSE;
+	}
+
 	while (hc->response_buffer->len > 0) {
 		if (hc->in_chunk) {
 			int got_now = hc->response_buffer->len;