search

diracdeltas / FastestWebsiteEver

ultrafast single TCP packet audio/visual experience
http://packet.city/
GNU General Public License v3.0
1.39k stars 100 forks source link

Buffer overflow, every time #3

Closed glasser closed 7 years ago

glasser commented 7 years ago

I recognize that it wouldn't be C without a buffer overflow or two. That said:

    send_buffer = (char*)calloc(numbytes, sizeof(char));    
    hdrbytes = sprintf(send_buffer, "HTTP/1.1 200 k\nContent-Length: %d\ncontent-encoding: deflate\n\n", numbytes);
    memcpy(send_buffer+hdrbytes, buffer, numbytes);

send_buffer has size numbytes. You then copy numbytes worth of data onto a place starting after the beginning of send_buffer. Looks like a buffer overflow to me! Simplest fix is to have an intermediate buffer for the header, and only allocate send_buffer once we know how big it needs to be.

diracdeltas commented 7 years ago

also reported on twitters