diff options
Diffstat (limited to 'pjlib-util/src/pjlib-util/http_client.c')
-rw-r--r-- | pjlib-util/src/pjlib-util/http_client.c | 12 |
1 files changed, 8 insertions, 4 deletions
diff --git a/pjlib-util/src/pjlib-util/http_client.c b/pjlib-util/src/pjlib-util/http_client.c index 941683ef..ceb4c602 100644 --- a/pjlib-util/src/pjlib-util/http_client.c +++ b/pjlib-util/src/pjlib-util/http_client.c @@ -1358,6 +1358,7 @@ static pj_status_t auth_respond_digest(pj_http_req *hreq) if (chal->qop.slen == 0) { const pj_str_t STR_MD5 = { "MD5", 3 }; + int max_len; /* Server doesn't require quality of protection. */ auth_create_digest_response(&digest_response, cred, @@ -1365,8 +1366,9 @@ static pj_status_t auth_respond_digest(pj_http_req *hreq) &hreq->hurl.path, &chal->realm, &hreq->param.method); + max_len = len; len = pj_ansi_snprintf( - phdr->value.ptr, len, + phdr->value.ptr, max_len, "Digest username=\"%.*s\", " "realm=\"%.*s\", " "nonce=\"%.*s\", " @@ -1379,7 +1381,7 @@ static pj_status_t auth_respond_digest(pj_http_req *hreq) STR_PREC(hreq->hurl.path), STR_PREC(STR_MD5), STR_PREC(digest_response)); - if (len < 0) + if (len < 0 || len >= max_len) return PJ_ETOOSMALL; phdr->value.slen = len; @@ -1391,13 +1393,15 @@ static pj_status_t auth_respond_digest(pj_http_req *hreq) const pj_str_t qop = pj_str("auth"); const pj_str_t nc = pj_str("00000001"); const pj_str_t cnonce = pj_str("b39971"); + int max_len; auth_create_digest_response(&digest_response, cred, &chal->nonce, &nc, &cnonce, &qop, &hreq->hurl.path, &chal->realm, &hreq->param.method); + max_len = len; len = pj_ansi_snprintf( - phdr->value.ptr, len, + phdr->value.ptr, max_len, "Digest username=\"%.*s\", " "realm=\"%.*s\", " "nonce=\"%.*s\", " @@ -1416,7 +1420,7 @@ static pj_status_t auth_respond_digest(pj_http_req *hreq) STR_PREC(qop), STR_PREC(nc), STR_PREC(cnonce)); - if (len < 0) + if (len < 0 || len >= max_len) return PJ_ETOOSMALL; phdr->value.slen = len; |