scanner_get_token: robustness improvement

Patch to make scanner_get_token more robust (avoid over-reading). (cherry picked from commit a3c540bc9b)
2013-08-14 09:22:43 -03:00 · 2013-08-14 09:22:43 -03:00 · cf8c0d0a93
commit cf8c0d0a93
parent 4a78847fb9
3 changed files with 5 additions and 11 deletions
--- a/11
+++ b/11
@ -357,16 +357,9 @@ Version 1.8.0
 Version 1.6.19
 *******************************************************************************

-2013-07-30 Robert Buckley <rbuckley(at)users.sf.net>
+2013-08-13 Peng <howtofly(at)gmail.com>

-	SF ticket #53 Action Error Response not returned
-
-	In soap_ctrlpt.c, in function get_response_value:
-
-	upnp_error_code is checked to see if it is less than 400 because that
-	would indicate a SOAP error code.
-
-	However it should be checked to see if it is greater than 400.
+	Patch to make scanner_get_token more robust (avoid over-reading).

 2013-07-30 Zheng Peng <darkelf2010(at)users.sf.net>

--- a/1
+++ b/1
@ -54,6 +54,7 @@ exempt of errors.
 - Oskar Liljeblad
 - Michael (oxygenic)
 - Paul Vixie
+- Peng
 - Peter Hartley
 - Rene Hexel
 - Robert Buckley (rbuckley)
--- a/upnp/src/genlib/net/http/httpparser.c
+++ b/upnp/src/genlib/net/http/httpparser.c
@ -245,7 +245,7 @@ static parse_status_t scanner_get_token(
 		/* scan identifier */
 		token->buf = cursor++;
 		token_type = TT_IDENTIFIER;
-		while (is_identifier_char(*cursor))
+		while (cursor < null_terminator && is_identifier_char(*cursor))
 			cursor++;
 		if (!scanner->entire_msg_loaded && cursor == null_terminator)
 			/* possibly more valid chars */
@ -255,7 +255,7 @@ static parse_status_t scanner_get_token(
 	} else if (c == ' ' || c == '\t') {
 		token->buf = cursor++;
 		token_type = TT_WHITESPACE;
-		while (*cursor == ' ' || *cursor == '\t')
+		while (cursor < null_terminator && (*cursor == ' ' || *cursor == '\t'))
 			cursor++;
 		if (!scanner->entire_msg_loaded && cursor == null_terminator)
 			/* possibly more chars */