fix: crash on request with 11+ headers

This commit fixes a critical crash where if the client sends more than 10 clients, it would crash as it would try to save headers even after 10.
PerformanC · May 10, 2024 · 33e46fc · 33e46fc
1 parent 41b3916
commit 33e46fc
Show file tree

Hide file tree

Showing 3 changed files with 14 additions and 11 deletions.
diff --git a/include/httpparser.h b/include/httpparser.h
@@ -39,7 +39,7 @@ struct httpparser_response {
 
 void httpparser_init_request(struct httpparser_request *httpRequest, struct httpparser_header *buffer, int length);
 
-int httpparser_parse_request(struct httpparser_request *httpRequest, const char *request);
+int httpparser_parse_request(struct httpparser_request *httpRequest, const char *request, int request_length);
 
 void httpparser_free_request(struct httpparser_request *httpRequest);
 

diff --git a/lib/httpparser.c b/lib/httpparser.c
@@ -33,7 +33,7 @@ void _httpparser_to_lower_case(char *str) {
   }
 }
 
-int httpparser_parse_request(struct httpparser_request *http_request, const char *request) {
+int httpparser_parse_request(struct httpparser_request *http_request, const char *request, int request_length) {
   struct tstr_string_token headers_end;
   tstr_find_between(&headers_end, request, NULL, 0, "\r\n\r\n", 0);
 
@@ -113,20 +113,23 @@ int httpparser_parse_request(struct httpparser_request *http_request, const char
       frequenc_fast_copy((char *)body_and_length, chunk_size_str, chunk_size.end);
 
       http_request->chunk_length = strtol(chunk_size_str, NULL, 16);
+
+      int requested_length = (request_length + headers_end.end - 4) - chunk_size.end - 2;
+
+      if (requested_length != content_length) return -1;
+
+      if (requested_length > http_request->chunk_length) requested_length = http_request->chunk_length;
+
       http_request->body = frequenc_safe_malloc((http_request->chunk_length + 1) * sizeof(char));
-      http_request->body_length = snprintf(http_request->body, (http_request->chunk_length + 1), "%s", body_and_length + chunk_size.end + 2);
+      frequenc_fast_copy(request + headers_end.end + 4, http_request->body, requested_length);
 
       /* TODO: Implement chunk handling */
       http_request->finished = http_request->body_length == (size_t)http_request->chunk_length;
     } else {
-      http_request->body = frequenc_safe_malloc((content_length + 1) * sizeof(char));
-      http_request->body_length = snprintf(http_request->body, (content_length + 1), "%s", request + headers_end.end + 4);
-
-      if (http_request->body_length != (size_t)content_length) {
-        frequenc_unsafe_free(http_request->body);
+      if ((request_length - headers_end.end - 4) != content_length) return -1;
 
-        return -1;
-      }
+      http_request->body = frequenc_safe_malloc((content_length + 1) * sizeof(char));
+      frequenc_fast_copy(request + headers_end.end + 4, http_request->body, content_length);
 
       http_request->body_length = content_length;
       http_request->finished = true;

diff --git a/lib/httpserver.c b/lib/httpserver.c
@@ -139,7 +139,7 @@ void *listen_messages(void *args) {
     struct httpparser_header headers[10];
     httpparser_init_request(&request, headers, 10);
 
-    if (httpparser_parse_request(&request, payload) != 0) {
+    if (httpparser_parse_request(&request, payload, payload_size) != 0) {
       httpparser_free_request(&request);
 
       printf("[httpparser]: Failed to parse request.\n - Socket: %d\n", csocket_server_client_get_id(&client));