[svn] Limit the maximum amount of memory allocated by fd_read_hunk and its

callers. Don't allocate more than 64k bytes on headers; don't allocate more than 4k bytes on a single line.
2005-03-19 09:35:15 -08:00 · 2005-03-19 09:35:15 -08:00 · 72ce32e8ab
parent b90b20763b
commit 72ce32e8ab
5 changed files with 53 additions and 12 deletions
--- a/src/ChangeLog
+++ b/src/ChangeLog
@ -1,3 +1,18 @@
+2005-03-17  Hrvoje Niksic  <hniksic@xemacs.org>
+
+	* ftp-basic.c (ftp_login): Don't free the string if ftp_response
+	returned an error status because the line didn't get allocated in
+	the first place.
+
+2005-03-15  Hrvoje Niksic  <hniksic@xemacs.org>
+
+	* http.c (read_http_response_head): Limit the response size to 64k
+	bytes.
+
+	* retr.c (fd_read_hunk): Accept a MAXSIZE argument that limits the
+	number of bytes the function is allowed to allocate.
+	(fd_read_line): Limit the line to 4096 bytes.
+
 2005-03-12  Hrvoje Niksic  <hniksic@xemacs.org>

 	* wget.h: Include options.h after wgint has been defined.
--- a/src/ftp-basic.c
+++ b/src/ftp-basic.c
@ -123,10 +123,7 @@ ftp_login (int csock, const char *acc, const char *pass)
  /* Get greeting.  */
  err = ftp_response (csock, &respline);
  if (err != FTPOK)
-    {
-      xfree (respline);
-      return err;
-    }
+    return err;
  if (*respline != '2')
    {
      xfree (respline);
--- a/src/http.c
+++ b/src/http.c
@ -432,6 +432,13 @@ response_head_terminator (const char *hunk, int oldlen, int peeklen)
  return NULL;
 }

+/* The maximum size of a single HTTP response we care to read.  This
+   is not meant to impose an arbitrary limit, but to protect the user
+   from Wget slurping up available memory upon encountering malicious
+   or buggy server output.  Define it to 0 to remove the limit.  */
+
+#define HTTP_RESPONSE_MAX_SIZE 65536
+
 /* Read the HTTP request head from FD and return it.  The error
   conditions are the same as with fd_read_hunk.

@ -443,7 +450,8 @@ response_head_terminator (const char *hunk, int oldlen, int peeklen)
 static char *
 read_http_response_head (int fd)
 {
-  return fd_read_hunk (fd, response_head_terminator, 512);
+  return fd_read_hunk (fd, response_head_terminator, 512,
+		       HTTP_RESPONSE_MAX_SIZE);
 }

 struct response {
--- a/src/retr.c
+++ b/src/retr.c
@ -375,18 +375,23 @@ fd_read_body (int fd, FILE *out, wgint toread, wgint startpos,
   a read.  If the read returns a different amount of data, the
   process is retried until all data arrives safely.

-   BUFSIZE is the size of the initial buffer expected to read all the
-   data in the typical case.
+   SIZEHINT is the buffer size sufficient to hold all the data in the
+   typical case (it is used as the initial buffer size).  MAXSIZE is
+   the maximum amount of memory this function is allowed to allocate,
+   or 0 if no upper limit is to be enforced.

   This function should be used as a building block for other
   functions -- see fd_read_line as a simple example.  */

 char *
-fd_read_hunk (int fd, hunk_terminator_t hunk_terminator, int bufsize)
+fd_read_hunk (int fd, hunk_terminator_t terminator, long sizehint, long maxsize)
 {
+  long bufsize = sizehint;
  char *hunk = xmalloc (bufsize);
  int tail = 0;			/* tail position in HUNK */

+  assert (maxsize >= bufsize);
+
  while (1)
    {
      const char *end;
@ -400,7 +405,7 @@ fd_read_hunk (int fd, hunk_terminator_t hunk_terminator, int bufsize)
 	  xfree (hunk);
 	  return NULL;
 	}
-      end = hunk_terminator (hunk, tail, pklen);
+      end = terminator (hunk, tail, pklen);
      if (end)
 	{
 	  /* The data contains the terminator: we'll drain the data up
@ -458,7 +463,17 @@ fd_read_hunk (int fd, hunk_terminator_t hunk_terminator, int bufsize)

      if (tail == bufsize - 1)
 	{
+	  /* Double the buffer size, but refuse to allocate more than
+	     MAXSIZE bytes.  */
+	  if (maxsize && bufsize >= maxsize)
+	    {
+	      xfree (hunk);
+	      errno = ENOMEM;
+	      return NULL;
+	    }
 	  bufsize <<= 1;
+	  if (maxsize && bufsize > maxsize)
+	    bufsize = maxsize;
 	  hunk = xrealloc (hunk, bufsize);
 	}
    }
@ -474,8 +489,14 @@ line_terminator (const char *hunk, int oldlen, int peeklen)
  return NULL;
 }

+/* The maximum size of the single line we agree to accept.  This is
+   not meant to impose an arbitrary limit, but to protect the user
+   from Wget slurping up available memory upon encountering malicious
+   or buggy server output.  Define it to 0 to remove the limit.  */
+#define FD_READ_LINE_MAX 4096
+
 /* Read one line from FD and return it.  The line is allocated using
-   malloc.
+   malloc, but is never larger than FD_READ_LINE_MAX.

   If an error occurs, or if no data can be read, NULL is returned.
   In the former case errno indicates the error condition, and in the
@ -484,7 +505,7 @@ line_terminator (const char *hunk, int oldlen, int peeklen)
 char *
 fd_read_line (int fd)
 {
-  return fd_read_hunk (fd, line_terminator, 128);
+  return fd_read_hunk (fd, line_terminator, 128, FD_READ_LINE_MAX);
 }

 /* Return a printed representation of the download rate, as
--- a/src/retr.h
+++ b/src/retr.h
@ -41,7 +41,7 @@ int fd_read_body PARAMS ((int, FILE *, wgint, wgint, wgint *, wgint *, double *,

 typedef const char *(*hunk_terminator_t) PARAMS ((const char *, int, int));

-char *fd_read_hunk PARAMS ((int, hunk_terminator_t, int));
+char *fd_read_hunk PARAMS ((int, hunk_terminator_t, long, long));
 char *fd_read_line PARAMS ((int));

 uerr_t retrieve_url PARAMS ((const char *, char **, char **,