bug: buffer overflow in substitute_index_file()

[GoogleCodeExporter]

What steps will reproduce the problem?
1. craft path of length equal to PATH_MAX minus length of directory index.html
2. have mongoose serve the directory list

What version of the product are you using? On what operating system?
Win7, mongoose is bleeding edge from hg repo as of today (2012/mar/06)

Code analysis will also show the overflow in substitute_index_file().

The offending lines are these, in combination:
    // Ignore too long entries that may overflow path buffer
    if (filename_vec.len > path_len - n)
      continue;
    mg_strlcpy(path + n + 1, filename_vec.ptr, filename_vec.len + 1);

Notice that the strlcpy will write vec.len+1 bytes at path+n+1 while the 
vec.len is checked against path+n instead of path+n+1+1.

FIX: Correcting bug by editing the check above by adding '+ 2':

    // Ignore too long entries that may overflow path buffer
    if (filename_vec.len > path_len - n - 2)
      continue;

Original issue reported on code.google.com by ger.hobbelt on 6 Mar 2012 at 1:52

[GoogleCodeExporter]

Submitted 
http://code.google.com/p/mongoose/source/detail?r=dfbdc060cf565689bbf9ca19f589c7
4f13bf3235
Thank you.

Original comment by valenok on 11 Mar 2012 at 10:20

• Changed state: Fixed