From 9c9cb5b3101afbc84a1b9885631567d9b0b45240 Mon Sep 17 00:00:00 2001 From: Anthony Minessale Date: Fri, 28 May 2010 14:20:20 -0500 Subject: [PATCH] fix esl buffer overflow --- libs/esl/src/esl.c | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) diff --git a/libs/esl/src/esl.c b/libs/esl/src/esl.c index d2ca396546..250abb3fe8 100644 --- a/libs/esl/src/esl.c +++ b/libs/esl/src/esl.c @@ -838,7 +838,7 @@ ESL_DECLARE(esl_status_t) esl_recv_event(esl_handle_t *handle, int check_q, esl_ char *cl; esl_ssize_t len; int zc = 0; - + int bread = 0; if (!handle || !handle->connected || handle->sock == ESL_SOCK_INVALID) { return ESL_FAIL; @@ -869,6 +869,13 @@ ESL_DECLARE(esl_status_t) esl_recv_event(esl_handle_t *handle, int check_q, esl_ beg = c; while(handle->connected) { + if (bread + 2 >= sizeof(handle->header_buf)) { + esl_log(ESL_LOG_CRIT, "OUT OF BUFFER SPACE!\n"); + handle->connected = 0; + esl_mutex_unlock(handle->mutex); + return ESL_DISCONNECTED; + } + rrval = recv(handle->sock, c, 1, 0); if (rrval == 0) { if (++zc >= 100) { @@ -883,6 +890,9 @@ ESL_DECLARE(esl_status_t) esl_recv_event(esl_handle_t *handle, int check_q, esl_ zc = 0; if (*c == '\n') { + + *(c+1) = '\0'; + if (++crc == 2) { break; } @@ -911,8 +921,9 @@ ESL_DECLARE(esl_status_t) esl_recv_event(esl_handle_t *handle, int check_q, esl_ esl_event_add_header_string(revent, ESL_STACK_BOTTOM, hname, hval); } - beg = c+1; - + c = beg; + bread = 0; + continue; } else { crc = 0;