[Iptables-p2p-commits] iptables-p2p/kernel match_http.c,1.4,1.5

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Update of /cvsroot/iptables-p2p/iptables-p2p/kernel
In directory sc8-pr-cvs1:/tmp/cvs-serv18457

Modified Files:
	match_http.c 
Log Message:
prevent buffer overflow

Index: match_http.c
===================================================================
RCS file: /cvsroot/iptables-p2p/iptables-p2p/kernel/match_http.c,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -d -r1.4 -r1.5

--- match_http.c	15 Dec 2003 09:32:20 -0000	1.4
+++ match_http.c	15 Dec 2003 09:41:06 -0000	1.5
@@ -61,7 +61,11 @@
 #define HM_X_QUEUE          4
 #define HM_X_TIGER_THREE    5
 
-#define HEADERS_COUNT (sizeof(methods_list)/sizeof(char *)) /* Not pretty: Is there a better way? */
+/*
+ * <liquidk> Not pretty: Is there a better way?
+ * <jasta> No.
+ */
+#define HEADERS_COUNT (sizeof(methods_list)/sizeof(methods_list[0]))
 
 static inline const unsigned char *
 next_line(const unsigned char *data,
@@ -78,16 +82,24 @@
 
 static inline int
 string_match(const unsigned char *data,
+			 const unsigned char *end,
              const unsigned char **strings)
 {
-	int i = 0;
+	int i;
+	size_t stringlen;
 
-	while (strings[i])
+	for (i = 0; strings[i] != NULL; i++)
 	{
-		if (memcmp(data, strings[i], strlen(strings[i]) - 1) == 0)
-			return i;
+		/* TODO: We absolutely need to precalculate the size of the above
+		 * strings and store them somewhere */
+		stringlen = strlen (strings[i]);
 
-		i++;
+		/* avoid overflow */
+		if (data + stringlen > end)
+			continue;
+
+		if (memcmp(data, strings[i], stringlen) == 0)
+			return 1;
 	}
 
 	return -1;
@@ -106,7 +118,8 @@
 	if (end - data < SIZE_MIN || end - data > SIZE_MAX)
 		return 0;
 
-	method_matched = string_match(data, methods_list);
+	/* <jasta> Why is this outside the loop below? */
+	method_matched = string_match(data, end, methods_list);
 
 	if (method_matched == -1)
 		return 0;
@@ -117,12 +130,7 @@
 	{
 		int header;
 
-		/*
-		 * FIXME: Should check for buffer overrun here.
-		 *
-		 * string_match should receive end - data as an argument
-		 */
-		header = string_match(data, headers_list);
+		header = string_match(data, end, headers_list);
 
 		if (header != -1)
 			headers_matched[header] = 1;




