3party/mongoose
0
0
Fork 0
mirror of https://github.com/cesanta/mongoose.git synced 2024-12-31 01:13:01 +08:00
Code Issues Projects Releases Wiki Activity

Fix body length calculation in mg_handle_cgi

Browse Source 
Fixes https://nvd.nist.gov/vuln/detail/CVE-2018-10945

CL: mg: Fix body length calculation in mg_handle_cgi

PUBLISHED_FROM=0c30cf36fdb67c75f6148468701e23d6ee72d953
This commit is contained in:
Deomid Ryabkov 2018-08-13 15:50:01 +03:00 committed by Cesanta Bot
parent 86b8a56b05
commit f33d3a4e02
2 changed files with 4 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
mongoose.c
View File

@ -9140,7 +9140,6 @@ MG_INTERNAL void mg_handle_cgi(struct mg_connection *nc, const char *prog,
if (mg_start_process(opts->cgi_interpreter, prog, blk.buf, blk.vars, dir, if (mg_start_process(opts->cgi_interpreter, prog, blk.buf, blk.vars, dir,
fds[1]) != 0) { fds[1]) != 0) {
size_t n = nc->recv_mbuf.len - (hm->message.len - hm->body.len);
struct mg_connection *cgi_nc = struct mg_connection *cgi_nc =
mg_add_sock(nc->mgr, fds[0], mg_cgi_ev_handler MG_UD_ARG(nc)); mg_add_sock(nc->mgr, fds[0], mg_cgi_ev_handler MG_UD_ARG(nc));
struct mg_http_proto_data *cgi_pd = mg_http_get_proto_data(nc); struct mg_http_proto_data *cgi_pd = mg_http_get_proto_data(nc);
@ -9150,8 +9149,8 @@ MG_INTERNAL void mg_handle_cgi(struct mg_connection *nc, const char *prog,
#endif #endif
nc->flags |= MG_F_HTTP_CGI_PARSE_HEADERS; nc->flags |= MG_F_HTTP_CGI_PARSE_HEADERS;
/* Push POST data to the CGI */ /* Push POST data to the CGI */
if (n > 0 && n < nc->recv_mbuf.len) { if (hm->body.len > 0) {
mg_send(cgi_pd->cgi.cgi_nc, hm->body.p, n); mg_send(cgi_pd->cgi.cgi_nc, hm->body.p, hm->body.len);
} }
mbuf_remove(&nc->recv_mbuf, nc->recv_mbuf.len); mbuf_remove(&nc->recv_mbuf, nc->recv_mbuf.len);
} else { } else {

5
src/mg_http_cgi.c
View File

@ -478,7 +478,6 @@ MG_INTERNAL void mg_handle_cgi(struct mg_connection *nc, const char *prog,
if (mg_start_process(opts->cgi_interpreter, prog, blk.buf, blk.vars, dir, if (mg_start_process(opts->cgi_interpreter, prog, blk.buf, blk.vars, dir,
fds[1]) != 0) { fds[1]) != 0) {
size_t n = nc->recv_mbuf.len - (hm->message.len - hm->body.len);
struct mg_connection *cgi_nc = struct mg_connection *cgi_nc =
mg_add_sock(nc->mgr, fds[0], mg_cgi_ev_handler MG_UD_ARG(nc)); mg_add_sock(nc->mgr, fds[0], mg_cgi_ev_handler MG_UD_ARG(nc));
struct mg_http_proto_data *cgi_pd = mg_http_get_proto_data(nc); struct mg_http_proto_data *cgi_pd = mg_http_get_proto_data(nc);
@ -488,8 +487,8 @@ MG_INTERNAL void mg_handle_cgi(struct mg_connection *nc, const char *prog,
#endif #endif
nc->flags |= MG_F_HTTP_CGI_PARSE_HEADERS; nc->flags |= MG_F_HTTP_CGI_PARSE_HEADERS;
/* Push POST data to the CGI */ /* Push POST data to the CGI */
if (n > 0 && n < nc->recv_mbuf.len) { if (hm->body.len > 0) {
mg_send(cgi_pd->cgi.cgi_nc, hm->body.p, n); mg_send(cgi_pd->cgi.cgi_nc, hm->body.p, hm->body.len);
} }
mbuf_remove(&nc->recv_mbuf, nc->recv_mbuf.len); mbuf_remove(&nc->recv_mbuf, nc->recv_mbuf.len);
} else { } else {