Fix massive post data probile in ecore-con that would cause

post data to be corrupted (as it was never copied into the ecore con url struct) or could cause crashes if the memory pointed to became invalid. SVN revision: 66619
2011-12-29 08:55:11 +00:00 · 2011-12-29 08:55:11 +00:00 · b92c19a84d
parent 0c167d3052
commit b92c19a84d
3 changed files with 26 additions and 8 deletions
--- a/legacy/ecore/ChangeLog
+++ b/legacy/ecore/ChangeLog
@ -447,3 +447,10 @@

        * Fix mouse down grab counts going bad by missing events.

+2011-12-29 Carsten Haitzler (The Rasterman)
+
+        * Fix massive post data probile in ecore-con that would cause
+        post data to be corrupted (as it was never copied into the
+        ecore con url struct) or could cause crashes if the memory
+        pointed to became invalid.
+
--- a/legacy/ecore/src/lib/ecore_con/ecore_con_private.h
+++ b/legacy/ecore/src/lib/ecore_con/ecore_con_private.h
@ -208,6 +208,8 @@ struct _Ecore_Con_Url
   Ecore_Con_Url_Time time_condition;
   double timestamp;
   void *data;
+   
+   void *post_data;

   int received;
   int write_fd;
--- a/legacy/ecore/src/lib/ecore_con/ecore_con_url.c
+++ b/legacy/ecore/src/lib/ecore_con/ecore_con_url.c
@ -326,6 +326,7 @@ ecore_con_url_free(Ecore_Con_Url *url_con)
   EINA_LIST_FREE(url_con->response_headers, s)
     free(s);
   eina_stringshare_del(url_con->url);
+   if (url_con->post_data) free(url_con->post_data);
   free(url_con);
 #else
   return;
@ -604,7 +605,7 @@ _ecore_con_url_send(Ecore_Con_Url *url_con,
 #ifdef HAVE_CURL
   Eina_List *l;
   const char *s;
-   char tmp[256];
+   char tmp[512];

   if (!ECORE_MAGIC_CHECK(url_con, ECORE_MAGIC_CON_URL))
     {
@ -627,16 +628,24 @@ _ecore_con_url_send(Ecore_Con_Url *url_con,

   if ((mode == MODE_POST) || (mode == MODE_AUTO))
     {
-        if (data)
+        if (url_con->post_data) free(url_con->post_data);
+        url_con->post_data = NULL;
+        if ((data) && (length > 0))
          {
-             if ((content_type) && (strlen(content_type) < 200))
+             url_con->post_data = malloc(length);
+             if (url_con->post_data)
               {
-                  snprintf(tmp, sizeof(tmp), "Content-Type: %s", content_type);
-                  url_con->headers = curl_slist_append(url_con->headers, tmp);
+                  memcpy(url_con->post_data, data, length);
+                  if ((content_type) && (strlen(content_type) < 450))
+                    {
+                       snprintf(tmp, sizeof(tmp), "Content-Type: %s", content_type);
+                       url_con->headers = curl_slist_append(url_con->headers, tmp);
+                    }
+                  curl_easy_setopt(url_con->curl_easy, CURLOPT_POSTFIELDS, url_con->post_data);
+                  curl_easy_setopt(url_con->curl_easy, CURLOPT_POSTFIELDSIZE, length);
               }
-
-             curl_easy_setopt(url_con->curl_easy, CURLOPT_POSTFIELDS, data);
-             curl_easy_setopt(url_con->curl_easy, CURLOPT_POSTFIELDSIZE, length);
+             else
+               return EINA_FALSE;
          }
        else curl_easy_setopt(url_con->curl_easy, CURLOPT_POSTFIELDSIZE, 0);
        if (mode == MODE_POST)