From a83dae404feac517695c23ff43ce1e116e2bfbe0 Mon Sep 17 00:00:00 2001

From: Michael Catanzaro <mcatanzaro@gnome.org>

Date: Wed, 9 Sep 2020 11:12:02 -0500

Subject: [PATCH] Rewrite url::recvline to be nonrecursive

This function processes network input. It's semi-trusted, because the

PAC ought to be trusted. But we still shouldn't allow it to control how

far we recurse. A malicious PAC can cause us to overflow the stack by

sending a sufficiently-long line without any '\n' character.

Also, this function failed to properly handle EINTR, so let's fix that

too, for good measure.

Fixes #134

---

 libproxy/url.cpp | 28 ++++++++++++++++++----------

 1 file changed, 18 insertions(+), 10 deletions(-)

diff --git a/libproxy/url.cpp b/libproxy/url.cpp

index ee776b2..68d69cd 100644

--- a/libproxy/url.cpp

+++ b/libproxy/url.cpp

@@ -388,16 +388,24 @@ string url::to_string() const {

 	return m_orig;

 }

-static inline string recvline(int fd) {

-	// Read a character.

-	// If we don't get a character, return empty string.

-	// If we are at the end of the line, return empty string.

-	char c = '\0';

-	

-	if (recv(fd, &c, 1, 0) != 1 || c == '\n')

-		return "";

-

-	return string(1, c) + recvline(fd);

+static string recvline(int fd) {

+	string line;

+	int ret;

+

+	// Reserve arbitrary amount of space to avoid small memory reallocations.

+	line.reserve(128);

+

+	do {

+		char c;

+		ret = recv(fd, &c, 1, 0);

+		if (ret == 1) {

+			if (c == '\n')

+				return line;

+			line += c;

+		}

+	} while (ret == 1 || (ret == -1 && errno == EINTR));

+

+	return line;

 }

 char* url::get_pac() {