Skip to content

Commit

Permalink
Fix body length calculation in mg_handle_cgi
Browse files Browse the repository at this point in the history 
Fixes https://nvd.nist.gov/vuln/detail/CVE-2018-10945

CL: mg: Fix body length calculation in mg_handle_cgi

PUBLISHED_FROM=0c30cf36fdb67c75f6148468701e23d6ee72d953
  • Loading branch information
@cesantabot
Deomid Ryabkov authored and cesantabot committed Aug 13, 2018
1 parent 86b8a56 commit f33d3a4
Show file tree
Hide file tree
Showing 2 changed files with 4 additions and 6 deletions.
5 changes: 2 additions & 3 deletions mongoose.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9140,7 +9140,6 @@ MG_INTERNAL void mg_handle_cgi(struct mg_connection *nc, const char *prog,

if (mg_start_process(opts->cgi_interpreter, prog, blk.buf, blk.vars, dir,
fds[1]) != 0) {
size_t n = nc->recv_mbuf.len - (hm->message.len - hm->body.len);
struct mg_connection *cgi_nc =
mg_add_sock(nc->mgr, fds[0], mg_cgi_ev_handler MG_UD_ARG(nc));
struct mg_http_proto_data *cgi_pd = mg_http_get_proto_data(nc);
Expand All @@ -9150,8 +9149,8 @@ MG_INTERNAL void mg_handle_cgi(struct mg_connection *nc, const char *prog,
#endif
nc->flags |= MG_F_HTTP_CGI_PARSE_HEADERS;
/* Push POST data to the CGI */
if (n > 0 && n < nc->recv_mbuf.len) {
mg_send(cgi_pd->cgi.cgi_nc, hm->body.p, n);
if (hm->body.len > 0) {
mg_send(cgi_pd->cgi.cgi_nc, hm->body.p, hm->body.len);
}
mbuf_remove(&nc->recv_mbuf, nc->recv_mbuf.len);
} else {
Expand Down
5 changes: 2 additions & 3 deletions src/mg_http_cgi.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -478,7 +478,6 @@ MG_INTERNAL void mg_handle_cgi(struct mg_connection *nc, const char *prog,

if (mg_start_process(opts->cgi_interpreter, prog, blk.buf, blk.vars, dir,
fds[1]) != 0) {
size_t n = nc->recv_mbuf.len - (hm->message.len - hm->body.len);
struct mg_connection *cgi_nc =
mg_add_sock(nc->mgr, fds[0], mg_cgi_ev_handler MG_UD_ARG(nc));
struct mg_http_proto_data *cgi_pd = mg_http_get_proto_data(nc);
Expand All @@ -488,8 +487,8 @@ MG_INTERNAL void mg_handle_cgi(struct mg_connection *nc, const char *prog,
#endif
nc->flags |= MG_F_HTTP_CGI_PARSE_HEADERS;
/* Push POST data to the CGI */
if (n > 0 && n < nc->recv_mbuf.len) {
mg_send(cgi_pd->cgi.cgi_nc, hm->body.p, n);
if (hm->body.len > 0) {
mg_send(cgi_pd->cgi.cgi_nc, hm->body.p, hm->body.len);
}
mbuf_remove(&nc->recv_mbuf, nc->recv_mbuf.len);
} else {
Expand Down

0 comments on commit f33d3a4

Please sign in to comment.