WPS: Fix HTTP body length check

Commit 7da4f4b4991c85f1122a4591d8a4b7dd3bd12b4e ('WPS: Check maximum HTTP body length earlier in the process') added too strict check for body length allocation. The comparison of new_alloc_nbytes against h->max_bytes did not take into account that HTTPREAD_BODYBUF_DELTA was added to previous allocation even if that ended up going beyond h->max_bytes. This ended up rejecting some valid HTTP operations, e.g., when checking AP response to WPS ER setting selected registrar. Fix this by taking HTTPREAD_BODYBUF_DELTA into account. Signed-off-by: Jouni Malinen <j@w1.fi>
2025-02-17 17:43:06 -05:00 · 2015-08-25 00:17:00 +03:00 · 2015-08-25 00:17:00 +03:00 · 2ce741fe0f
commit 2ce741fe0f
parent 20f331b707
1 changed files with 6 additions and 3 deletions
--- a/src/wps/httpread.c
+++ b/src/wps/httpread.c
@ -506,10 +506,13 @@ static void httpread_read_handler(int sd, void *eloop_ctx, void *sock_ctx)
 			    new_alloc_nbytes < (h->content_length + 1))
 				new_alloc_nbytes = h->content_length + 1;
 			if (new_alloc_nbytes < h->body_alloc_nbytes ||
-			    new_alloc_nbytes > h->max_bytes) {
+			    new_alloc_nbytes > h->max_bytes +
+			    HTTPREAD_BODYBUF_DELTA) {
 				wpa_printf(MSG_DEBUG,
-					   "httpread: Unacceptable body length %d",
-					   new_alloc_nbytes);
+					   "httpread: Unacceptable body length %d (body_alloc_nbytes=%u max_bytes=%u)",
+					   new_alloc_nbytes,
+					   h->body_alloc_nbytes,
+					   h->max_bytes);
 				goto bad;
 			}
 			if ((new_body = os_realloc(h->body, new_alloc_nbytes))