projects / project / uhttpd.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
uhttpd/file: fix string out of buffer range on uh_defer_script
[project/uhttpd.git] / client.c
diff --git a/client.c b/client.c
index 3c1aa9daf783a587cffc9be44241de396d2d9b77..c037cc79874855999fb849c03e064a7f6a99072b 100644 (file)
--- a/client.c
+++ b/client.c
@@ -95,7 +95,8 @@ static void client_timeout(struct uloop_timeout *timeout)
        struct client *cl = container_of(timeout, struct client, timeout);
 
        cl->state = CLIENT_STATE_CLOSE;
-       uh_connection_close(cl);
+       cl->request.connection_close = true;
+       uh_request_done(cl);
 }
 
 static void uh_set_client_timeout(struct client *cl, int timeout)
@@ -137,6 +138,7 @@ void uh_request_done(struct client *cl)
 void __printf(4, 5)
 uh_client_error(struct client *cl, int code, const char *summary, const char *fmt, ...)
 {
+       struct http_request *r = &cl->request;
        va_list arg;
 
        uh_http_header(cl, code, summary);
@@ -150,6 +152,17 @@ uh_client_error(struct client *cl, int code, const char *summary, const char *fm
                va_end(arg);
        }
 
+       /* Close the connection even when keep alive is set, when it
+        * contains a request body, as it was not read and we are
+        * currently out of sync. Without handling this the body will be
+        * interpreted as part of the next request. The alternative
+        * would be to read and discard the request body here.
+        */
+       if (r->transfer_chunked || r->content_length > 0) {
+               cl->state = CLIENT_STATE_CLOSE;
+               cl->request.connection_close = true;
+       }
+
        uh_request_done(cl);
 }
 
@@ -194,8 +207,7 @@ static int client_parse_request(struct client *cl, char *data)
 
        req->method = h_method;
        req->version = h_version;
-       if (req->version < UH_HTTP_VER_1_1 || req->method == UH_HTTP_MSG_POST ||
-           !conf.http_keepalive)
+       if (req->version < UH_HTTP_VER_1_1 || !conf.http_keepalive)
                req->connection_close = true;
 
        return CLIENT_STATE_HEADER;
@@ -251,10 +263,10 @@ static bool tls_redirect_check(struct client *cl)
                return true;
 
        blob_for_each_attr(cur, cl->hdr.head, rem) {
-               if (!strcmp(blobmsg_name(cur), "host"))
+               if (!strncmp(blobmsg_name(cur), "host", 4))
                        host = blobmsg_get_string(cur);
 
-               if (!strcmp(blobmsg_name(cur), "URL"))
+               if (!strncmp(blobmsg_name(cur), "URL", 3))
                        url = blobmsg_get_string(cur);
 
                if (url && host)
@@ -346,7 +358,7 @@ static void client_parse_header(struct client *cl, char *data)
                }
        } else if (!strcmp(data, "content-length")) {
                r->content_length = strtoul(val, &err, 0);
-               if (err && *err) {
+               if ((err && *err) || r->content_length < 0) {
                        uh_header_error(cl, 400, "Bad Request");
                        return;
                }
@@ -396,6 +408,7 @@ void client_poll_post_data(struct client *cl)
 {
        struct dispatch *d = &cl->dispatch;
        struct http_request *r = &cl->request;
+       enum client_state st;
        char *buf;
        int len;
 
@@ -444,7 +457,7 @@ void client_poll_post_data(struct client *cl)
                ustream_consume(cl->us, sep + 2 - buf);
 
                /* invalid chunk length */
-               if (sep && *sep) {
+               if ((sep && *sep) || r->content_length < 0) {
                        r->content_length = 0;
                        r->transfer_chunked = 0;
                        break;
@@ -460,10 +473,13 @@ void client_poll_post_data(struct client *cl)
        buf = ustream_get_read_buf(cl->us, &len);
        if (!r->content_length && !r->transfer_chunked &&
                cl->state != CLIENT_STATE_DONE) {
+               st = cl->state;
+
                if (cl->dispatch.data_done)
                        cl->dispatch.data_done(cl);
 
-               cl->state = CLIENT_STATE_DONE;
+               if (cl->state == st)
+                       cl->state = CLIENT_STATE_DONE;
        }
 }
 
@@ -516,7 +532,8 @@ void uh_client_read_cb(struct client *cl)
 
                if (!read_cbs[cl->state](cl, str, len)) {
                        if (len == us->r.buffer_len &&
-                           cl->state != CLIENT_STATE_DATA)
+                           cl->state != CLIENT_STATE_DATA &&
+                           cl->state != CLIENT_STATE_DONE)
                                uh_header_error(cl, 413, "Request Entity Too Large");
                        break;
                }
@@ -557,11 +574,13 @@ void uh_client_notify_state(struct client *cl)
                if (!s->eof || s->w.data_bytes)
                        return;
 
+#ifdef HAVE_TLS
                if (cl->tls && cl->ssl.conn && cl->ssl.conn->w.data_bytes) {
                        cl->ssl.conn->eof = s->eof;
                        if (!ustream_write_pending(cl->ssl.conn))
                                return;
                }
+#endif
        }
 
        return client_close(cl);
Tiny HTTP server