espressif/esp-idf
1
0
Fork 1
mirror of https://github.com/espressif/esp-idf.git synced 2025-07-31 19:24:33 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'bugfix/fix_potential_buffer_overflow_http_client_example' into 'master'

Browse Source 
esp_http_client example: fix potential buffer overflow while copying data recieved in HTTP response

Closes IDFGH-9027

See merge request espressif/esp-idf!21869
This commit is contained in:
Mahavir Jain
2023-01-23 12:03:51 +08:00
parent 49551cc48c dd490f7915
commit 8db02b36ac
1 changed files with 13 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
examples/protocols/esp_http_client/main/esp_http_client_example.c
View File

@@ -8,6 +8,7 @@
*/ */
#include <string.h> #include <string.h>
#include <sys/param.h>
#include <stdlib.h> #include <stdlib.h>
#include "esp_log.h" #include "esp_log.h"
#include "nvs_flash.h" #include "nvs_flash.h"
@@ -73,20 +74,28 @@ esp_err_t _http_event_handler(esp_http_client_event_t *evt)
*/ */
if (!esp_http_client_is_chunked_response(evt->client)) { if (!esp_http_client_is_chunked_response(evt->client)) {
// If user_data buffer is configured, copy the response into the buffer // If user_data buffer is configured, copy the response into the buffer
int copy_len = 0;
if (evt->user_data) { if (evt->user_data) {
memcpy(evt->user_data + output_len, evt->data, evt->data_len); copy_len = MIN(evt->data_len, (MAX_HTTP_OUTPUT_BUFFER - output_len));
if (copy_len) {
memcpy(evt->user_data + output_len, evt->data, copy_len);
}
} else { } else {
const int buffer_len = esp_http_client_get_content_length(evt->client);
if (output_buffer == NULL) { if (output_buffer == NULL) {
output_buffer = (char *) malloc(esp_http_client_get_content_length(evt->client)); output_buffer = (char *) malloc(buffer_len);
output_len = 0; output_len = 0;
if (output_buffer == NULL) { if (output_buffer == NULL) {
ESP_LOGE(TAG, "Failed to allocate memory for output buffer"); ESP_LOGE(TAG, "Failed to allocate memory for output buffer");
return ESP_FAIL; return ESP_FAIL;
} }
} }
memcpy(output_buffer + output_len, evt->data, evt->data_len); copy_len = MIN(evt->data_len, (buffer_len - output_len));
if (copy_len) {
memcpy(output_buffer + output_len, evt->data, copy_len);
}
} }
output_len += evt->data_len; output_len += copy_len;
} }
break; break;