Skip to content

Commit b12e49c

Browse files
yasosa305yasosa305
committed
Fixed vulnerabilities TALOS-2023-1725 and TALOS-2023-1726 published by Cisco TALOS.
1 parent 12f5368 commit b12e49c

File tree

1 file changed

+25
-10
lines changed

1 file changed

+25
-10
lines changed

Server/Source/http-s_req.c

Lines changed: 25 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -845,6 +845,7 @@ static void HTTPsReq_MethodParse (HTTPs_INSTANCE *p_instance,
845845
CPU_CHAR *p_request_method_start;
846846
CPU_CHAR *p_request_method_end;
847847
CPU_SIZE_T len;
848+
CPU_SIZE_T skipped_chars;
848849
HTTPs_INSTANCE_STATS *p_ctr_stats;
849850
CPU_INT32U method;
850851

@@ -857,26 +858,32 @@ static void HTTPsReq_MethodParse (HTTPs_INSTANCE *p_instance,
857858
*p_err = HTTPs_ERR_REQ_FORMAT_INVALID;
858859
return;
859860
}
860-
/* Move the start ptr to the first meanningful char. */
861+
/* Move the start ptr to the first printable ASCII char.*/
861862
p_request_method_start = HTTP_StrGraphSrchFirst(p_conn->RxBufPtr, len);
862863
if (p_request_method_start == DEF_NULL) {
863864
*p_err = HTTPs_ERR_REQ_FORMAT_INVALID;
864865
return;
865866
}
866-
len -= p_request_method_start - p_conn->RxBufPtr ;
867+
868+
skipped_chars = p_request_method_start - p_conn->RxBufPtr;
869+
870+
len -= skipped_chars; /* Disregard illegal, non-printable ASCII characters. */
867871
/* Find the end of method string. */
868872
p_request_method_end = Str_Char_N(p_request_method_start, len, ASCII_CHAR_SPACE);
869873
if (p_request_method_end == DEF_NULL) {
870874
*p_err = HTTPs_ERR_REQ_FORMAT_INVALID;
871875
return;
872876
}
873-
len = p_request_method_end - p_request_method_start;
877+
878+
p_conn->RxBufLenRem -= skipped_chars; /* Update RxBufLenRem to reflect nbr of skipped chars. */
879+
880+
len = p_request_method_end - p_request_method_start;
874881
/* Try to match the Method str received. */
875-
method = HTTP_Dict_KeyGet(HTTP_Dict_ReqMethod,
876-
HTTP_Dict_ReqMethodSize,
877-
p_request_method_start,
878-
DEF_YES,
879-
len);
882+
method = HTTP_Dict_KeyGet(HTTP_Dict_ReqMethod,
883+
HTTP_Dict_ReqMethodSize,
884+
p_request_method_start,
885+
DEF_YES,
886+
len);
880887
/* Validate the DictionaryKey search results */
881888
if (method == HTTP_DICT_KEY_INVALID) {
882889
p_conn->Method = HTTP_METHOD_UNKNOWN;
@@ -1362,6 +1369,7 @@ static void HTTPsReq_ProtocolVerParse (HTTPs_INSTANCE *p_instance,
13621369
CPU_CHAR *p_protocol_ver_end;
13631370
CPU_INT32U len;
13641371
CPU_INT32U protocol_ver;
1372+
CPU_SIZE_T skipped_chars;
13651373
HTTPs_INSTANCE_STATS *p_ctr_stats;
13661374

13671375

@@ -1375,11 +1383,18 @@ static void HTTPsReq_ProtocolVerParse (HTTPs_INSTANCE *p_instance,
13751383
/* Move the pointer to the next meaningful char. */
13761384
p_protocol_ver_start = HTTP_StrGraphSrchFirst(p_conn->RxBufPtr, len);
13771385
if (p_protocol_ver_start == DEF_NULL) {
1378-
*p_err = HTTPs_ERR_REQ_FORMAT_INVALID;
1386+
*p_err = HTTPs_ERR_REQ_FORMAT_INVALID;
13791387
return;
13801388
}
1389+
1390+
skipped_chars = p_protocol_ver_start - p_conn->RxBufPtr;
1391+
1392+
len -= skipped_chars; /* Disregard illegal, non-printable ASCII characters. */
13811393
/* Find the end of the request line. */
1382-
p_protocol_ver_end = Str_Str_N(p_protocol_ver_start, STR_CR_LF, len);
1394+
p_protocol_ver_end = Str_Str_N(p_protocol_ver_start, STR_CR_LF, len);
1395+
/* Update RxBufLenRem to reflect nbr of skipped chars. */
1396+
p_conn->RxBufLenRem -= skipped_chars;
1397+
13831398
if (p_protocol_ver_end == DEF_NULL) { /* If not found, check to get more data. */
13841399
if (p_conn->RxBufPtr != p_conn->BufPtr) {
13851400
*p_err = HTTPs_ERR_REQ_MORE_DATA_REQUIRED;

0 commit comments

Comments
 (0)