From f729ee922d9ea3557ff21b1682af1dd696c39937 Mon Sep 17 00:00:00 2001
From: Andrew Moss <1043609+amoss@users.noreply.github.com>
Date: Fri, 13 Sep 2019 14:38:46 +0200
Subject: Buffer overflow (#6817)

* Buffer overflow

The host field in the web_client is to store the value of the Host HTTP header,
but it is an arbitrary size and there are no length checks. I could not see an
easy way to exploit it but this checks it will not overflow the buffer.

* Fix warnings on @thiagoftsm build system.
---
 web/server/web_client.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'web')

diff --git a/web/server/web_client.c b/web/server/web_client.c
index 908e3a6a96..db078b966b 100644
--- a/web/server/web_client.c
+++ b/web/server/web_client.c
@@ -791,7 +791,7 @@ static inline char *http_header_parse(struct web_client *w, char *s, int parse_u
         w->auth_bearer_token = strdupz(v);
     }
     else if(hash == hash_host && !strcasecmp(s, "Host")){
-        strncpyz(w->host, v, (ve - v));
+        strncpyz(w->host, v, ((size_t)(ve - v) < sizeof(w->host)-1 ? (size_t)(ve - v) : sizeof(w->host)-1));
     }
 #ifdef NETDATA_WITH_ZLIB
     else if(hash == hash_accept_encoding && !strcasecmp(s, "Accept-Encoding")) {
-- 
cgit v1.2.3