diff options
author | Daniel Bertalan <dani@danielbertalan.dev> | 2021-10-29 14:16:25 +0200 |
---|---|---|
committer | Ali Mohammad Pur <Ali.mpfard@gmail.com> | 2021-10-30 00:54:34 +0330 |
commit | e9f0ebd4bd972e3d3082e494cbe17c45cb7ed8b4 (patch) | |
tree | 9aa4d1f300e2804161a00ca26266ff6d59f7cf52 /Kernel/Memory/VirtualRange.cpp | |
parent | 47b8d8086408fa37c9e7d0eaa9cff5ebe824babd (diff) | |
download | serenity-e9f0ebd4bd972e3d3082e494cbe17c45cb7ed8b4.zip |
LibHTTP: Fix logic error leading to buffer over-read
When we receive HTTP payloads, we have to ensure that the number of
bytes read is *at most* the value specified in the Content-Length
header.
However, we did not use the correct value when calculating the truncated
size of the last payload. `m_buffered_size` does not store the total
number of bytes received, but rather the number of bytes that haven't
been read from us.
This means that if some data has already been read from us,
`m_buffered_size` is smaller than `m_received_size`. Because of this, we
ended up resizing the `payload` ByteBuffer to a larger size than its
contents. This garbage data was then read by consumers, producing this
warning when executing scripts:
> Extension byte 0xdc in 1 position after first byte 0xdc doesn't make
> sense.
Diffstat (limited to 'Kernel/Memory/VirtualRange.cpp')
0 files changed, 0 insertions, 0 deletions