From: Aschref Ben Thabet <aschref.ben-tha...@embedded-brains.de>
Taking care of the size of buffer to be copied and replace the unsafe
snprintf() with memcpy().
The reason why we get a warning on sprintf() is because memcpy() has a
length parameter that limits how much memory you copy.
For memcpy(), the input has to be terminated with a \0. If not, it will
continue out of bounds.
---
cpukit/mghttpd/mongoose.c | 24 ++++++++++++++++++------
1 file changed, 18 insertions(+), 6 deletions(-)
diff --git a/cpukit/mghttpd/mongoose.c b/cpukit/mghttpd/mongoose.c
index fb2bce7471..6db0bdb58e 100644
--- a/cpukit/mghttpd/mongoose.c
+++ b/cpukit/mghttpd/mongoose.c
@@ -251,7 +251,7 @@ typedef struct DIR {
#define INT64_FMT PRId64
typedef int SOCKET;
#define WINCDECL
-
+#define MIN(a, b)((a) < (b) ? (a) : (b))
#endif // End of Windows and UNIX specific includes
#ifndef HAVE_POLL
@@ -1916,12 +1916,24 @@ static void convert_uri_to_file_name(struct
mg_connection *conn, char *buf,
// we can only do this if the browser declares support
if ((accept_encoding = mg_get_header(conn, "Accept-Encoding")) != NULL) {
if (strstr(accept_encoding,"gzip") != NULL) {
- snprintf(gz_path, sizeof(gz_path), "%s.gz", buf);
- if (mg_stat(conn, gz_path, filep)) {
- filep->gzipped = 1;
- return;
+ memcpy(gz_path, buf, MIN(strlen(buf) + 1, sizeof(gz_path)));
+ if (strlen(buf) > sizeof(gz_path) - 1)
+ strlcpy(gz_path + strlen(gz_path), ".gz", sizeof(gz_path) -
strlen(gz_path));
+ /* else //to be reviewed /
+ {
+ //memory allocation for gz.path with buf_size + .gz
+ mount_path = malloc(strlen(buf) + 1 + sizeof(gz_path);
+ if (mount_path != NULL))
+ strlcpy(mount_path, ".gz", sizeof(mount_path));
+ }
+ snprintf(gz_path, sizeof(gz_path), "%s.gz", buf*)
+*/
+ if (mg_stat(conn, gz_path, filep))
+ {
+ filep->gzipped = 1;
+ return;
+ }
}
- }
}
// Support PATH_INFO for CGI scripts.
--
2.26.2
_______________________________________________
devel mailing list
devel@rtems.org
http://lists.rtems.org/mailman/listinfo/devel
