summaryrefslogtreecommitdiff
path: root/pjlib-util/src/pjlib-util/http_client.c
diff options
context:
space:
mode:
Diffstat (limited to 'pjlib-util/src/pjlib-util/http_client.c')
-rw-r--r--pjlib-util/src/pjlib-util/http_client.c12
1 files changed, 8 insertions, 4 deletions
diff --git a/pjlib-util/src/pjlib-util/http_client.c b/pjlib-util/src/pjlib-util/http_client.c
index 941683ef..ceb4c602 100644
--- a/pjlib-util/src/pjlib-util/http_client.c
+++ b/pjlib-util/src/pjlib-util/http_client.c
@@ -1358,6 +1358,7 @@ static pj_status_t auth_respond_digest(pj_http_req *hreq)
if (chal->qop.slen == 0) {
const pj_str_t STR_MD5 = { "MD5", 3 };
+ int max_len;
/* Server doesn't require quality of protection. */
auth_create_digest_response(&digest_response, cred,
@@ -1365,8 +1366,9 @@ static pj_status_t auth_respond_digest(pj_http_req *hreq)
&hreq->hurl.path, &chal->realm,
&hreq->param.method);
+ max_len = len;
len = pj_ansi_snprintf(
- phdr->value.ptr, len,
+ phdr->value.ptr, max_len,
"Digest username=\"%.*s\", "
"realm=\"%.*s\", "
"nonce=\"%.*s\", "
@@ -1379,7 +1381,7 @@ static pj_status_t auth_respond_digest(pj_http_req *hreq)
STR_PREC(hreq->hurl.path),
STR_PREC(STR_MD5),
STR_PREC(digest_response));
- if (len < 0)
+ if (len < 0 || len >= max_len)
return PJ_ETOOSMALL;
phdr->value.slen = len;
@@ -1391,13 +1393,15 @@ static pj_status_t auth_respond_digest(pj_http_req *hreq)
const pj_str_t qop = pj_str("auth");
const pj_str_t nc = pj_str("00000001");
const pj_str_t cnonce = pj_str("b39971");
+ int max_len;
auth_create_digest_response(&digest_response, cred,
&chal->nonce, &nc, &cnonce, &qop,
&hreq->hurl.path, &chal->realm,
&hreq->param.method);
+ max_len = len;
len = pj_ansi_snprintf(
- phdr->value.ptr, len,
+ phdr->value.ptr, max_len,
"Digest username=\"%.*s\", "
"realm=\"%.*s\", "
"nonce=\"%.*s\", "
@@ -1416,7 +1420,7 @@ static pj_status_t auth_respond_digest(pj_http_req *hreq)
STR_PREC(qop),
STR_PREC(nc),
STR_PREC(cnonce));
- if (len < 0)
+ if (len < 0 || len >= max_len)
return PJ_ETOOSMALL;
phdr->value.slen = len;