OpenARC icon indicating copy to clipboard operation
OpenARC copied to clipboard
verified publisher icon trusteddomainproject

Fix a buffer overrun in arc_eoh()

Open flowerysong opened this issue 7 years ago • 1 comments

strncpy(hnbuf, h->hdr_text, h->hdr_namelen) assumes that hdr_namelen will never be longer than ARC_MAXHEADER, but that assumption wasn't enforced anywhere. Enforcing the maximum field name length in arc_parse_header_field() seems reasonable, and prevents malformed headers from overrunning this buffer.

flowerysong avatar Dec 11 '18 20:12 flowerysong

According to RFC 5322 section 2.1.1. each line of characters MUST be no more than 998 characters, and from the description about field name section 2.2. filed names cannot be folded.

So we can use lesser limit value than ARC_MAXHEADER for the restriction arc_parse_header_field() for enforcing RFC5322 section 2.1.1. (and can reduce the size of buffers for header field name, if we need to do so).

futatuki avatar Sep 14 '24 08:09 futatuki