Description: Fix buffer overflow in add_to_response bug Thanks Peter Kasza
Author: Jose dos Santos Junior <j.s.junior@live.com>
Last-Update: 2015-09-02
Bug: http://bugs.debian.org/778925
===================================================================
Index: mini-httpd-1.21/mini_httpd.c
===================================================================
--- mini-httpd-1.21.orig/mini_httpd.c
+++ mini-httpd-1.21/mini_httpd.c
@@ -270,7 +270,7 @@ static void start_request( void );
 static void add_to_request( char* str, size_t len );
 static char* get_request_line( void );
 static void start_response( void );
-static void add_to_response( char* str, size_t len );
+static void add_to_response( char* str, size_t len, size_t buflen );
 static void send_response( void );
 static void send_via_write( int fd, off_t size );
 static void send_via_sendfile( int fd, int s, off_t size );
@@ -1655,7 +1655,7 @@ do_dir( void )
 
     add_headers( 200, "Ok", "", "", "text/html; charset=%s", contents_len, sb.st_mtime );
     if ( method != METHOD_HEAD )
-	add_to_response( contents, contents_len );
+	add_to_response( contents, contents_len, sizeof(contents) );
     send_response();
     }
 
@@ -2426,9 +2426,9 @@ send_error_body( int s, char* title, cha
 \n\
     <h4>%d %s</h4>\n",
 	s, title, s, title );
-    add_to_response( buf, buflen );
+    add_to_response( buf, buflen, sizeof(buf) );
     buflen = snprintf( buf, sizeof(buf), "%s\n", text );
-    add_to_response( buf, buflen );
+    add_to_response( buf, buflen, sizeof(buf) );
     }
 
 
@@ -2447,7 +2447,7 @@ send_error_file( char* filename )
 	r = fread( buf, 1, sizeof(buf), fp );
 	if ( r == 0 )
 	    break;
-	add_to_response( buf, r );
+	add_to_response( buf, r, sizeof(buf) );
 	}
     (void) fclose( fp );
     return 1;
@@ -2464,14 +2464,14 @@ send_error_tail( void )
 	{
 	int n;
 	buflen = snprintf( buf, sizeof(buf), "<!--\n" );
-	add_to_response( buf, buflen );
+	add_to_response( buf, buflen, sizeof(buf) );
 	for ( n = 0; n < 6; ++n )
 	    {
 	    buflen = snprintf( buf, sizeof(buf), "Padding so that MSIE deigns to show this error instead of its own canned one.\n" );
-	    add_to_response( buf, buflen );
+	    add_to_response( buf, buflen, sizeof(buf) );
 	    }
 	buflen = snprintf( buf, sizeof(buf), "-->\n" );
-	add_to_response( buf, buflen );
+	add_to_response( buf, buflen, sizeof(buf) );
 	}
 
     buflen = snprintf( buf, sizeof(buf), "\
@@ -2483,7 +2483,7 @@ send_error_tail( void )
 \n\
 </html>\n",
 	SERVER_URL, SERVER_SOFTWARE );
-    add_to_response( buf, buflen );
+    add_to_response( buf, buflen, sizeof(buf) );
     }
 
 
@@ -2502,44 +2502,44 @@ add_headers( int s, char* title, char* e
     make_log_entry();
     start_response();
     buflen = snprintf( buf, sizeof(buf), "%s %d %s\015\012", protocol, status, title );
-    add_to_response( buf, buflen );
+    add_to_response( buf, buflen, sizeof(buf) );
     buflen = snprintf( buf, sizeof(buf), "Server: %s\015\012", SERVER_SOFTWARE );
-    add_to_response( buf, buflen );
+    add_to_response( buf, buflen, sizeof(buf) );
     now = time( (time_t*) 0 );
     (void) strftime( timebuf, sizeof(timebuf), rfc1123_fmt, gmtime( &now ) );
     buflen = snprintf( buf, sizeof(buf), "Date: %s\015\012", timebuf );
-    add_to_response( buf, buflen );
+    add_to_response( buf, buflen, sizeof(buf) );
     s100 = status / 100;
     if ( s100 != 2 && s100 != 3 )
 	{
 	buflen = snprintf( buf, sizeof(buf), "Cache-Control: no-cache,no-store\015\012" );
-	add_to_response( buf, buflen );
+	add_to_response( buf, buflen, sizeof(buf) );
 	}
     if ( extra_header != (char*) 0 && extra_header[0] != '\0' )
 	{
 	buflen = snprintf( buf, sizeof(buf), "%s\015\012", extra_header );
-	add_to_response( buf, buflen );
+	add_to_response( buf, buflen, sizeof(buf) );
 	}
     if ( me != (char*) 0 && me[0] != '\0' )
 	{
 	buflen = snprintf( buf, sizeof(buf), "Content-Encoding: %s\015\012", me );
-	add_to_response( buf, buflen );
+	add_to_response( buf, buflen, sizeof(buf) );
 	}
     if ( mt != (char*) 0 && mt[0] != '\0' )
 	{
 	buflen = snprintf( buf, sizeof(buf), "Content-Type: %s\015\012", mt );
-	add_to_response( buf, buflen );
+	add_to_response( buf, buflen, sizeof(buf) );
 	}
     if ( bytes >= 0 )
 	{
 	buflen = snprintf(
 	    buf, sizeof(buf), "Content-Length: %lld\015\012", (long long) bytes );
-	add_to_response( buf, buflen );
+	add_to_response( buf, buflen, sizeof(buf) );
 	}
     if ( p3p != (char*) 0 && p3p[0] != '\0' )
 	{
 	buflen = snprintf( buf, sizeof(buf), "P3P: %s\015\012", p3p );
-	add_to_response( buf, buflen );
+	add_to_response( buf, buflen, sizeof(buf) );
 	}
     if ( max_age >= 0 )
 	{
@@ -2548,17 +2548,17 @@ add_headers( int s, char* title, char* e
 	    timebuf, sizeof(timebuf), rfc1123_fmt, gmtime( &expires ) );
 	buflen = snprintf( buf, sizeof(buf),
 	    "Cache-Control: max-age=%d\015\012Expires: %s\015\012", max_age, timebuf );
-	add_to_response( buf, buflen );
+	add_to_response( buf, buflen, sizeof(buf) );
 	}
     if ( mod != (time_t) -1 )
 	{
 	(void) strftime(
 	    timebuf, sizeof(timebuf), rfc1123_fmt, gmtime( &mod ) );
 	buflen = snprintf( buf, sizeof(buf), "Last-Modified: %s\015\012", timebuf );
-	add_to_response( buf, buflen );
+	add_to_response( buf, buflen, sizeof(buf) );
 	}
     buflen = snprintf( buf, sizeof(buf), "Connection: close\015\012\015\012" );
-    add_to_response( buf, buflen );
+    add_to_response( buf, buflen, sizeof(buf) );
     }
 
 
@@ -2611,8 +2611,11 @@ start_response( void )
     }
 
 static void
-add_to_response( char* str, size_t len )
+add_to_response( char* str, size_t len, size_t buflen )
     {
+    if (buflen < len) {
+        len = buflen;
+    }
     add_to_buf( &response, &response_size, &response_len, str, len );
     }
 
