WebServer: Fix OOB write

Tapped · Tapped · commit 146faf60b39c · 2020-06-14T12:18:21.000+02:00
Successful exploitation could lead to arbitrary code execution. The bug can be reproduced by running the following in a browser: ``` const formData = new FormData(); for (let i = 0;i < 33;++i) { formData.append("foo", i.toString()); } await fetch("http://esp.local", { method: 'POST', body: formData }); ```
diff --git a/libraries/WebServer/src/Parsing.cpp b/libraries/WebServer/src/Parsing.cpp
@@ -356,9 +356,9 @@ bool WebServer::_parseForm(WiFiClient& client, String boundary, uint32_t len){
   client.readStringUntil('\n');
   //start reading the form
   if (line == ("--"+boundary)){
-	 if(_postArgs) delete[] _postArgs;
-	 _postArgs = new RequestArgument[WEBSERVER_MAX_POST_ARGS];
-     _postArgsLen = 0;
+   if(_postArgs) delete[] _postArgs;
+    _postArgs = new RequestArgument[WEBSERVER_MAX_POST_ARGS];
+    _postArgsLen = 0;
     while(1){
       String argName;
       String argValue;
@@ -406,9 +406,15 @@ bool WebServer::_parseForm(WiFiClient& client, String boundary, uint32_t len){
             }
             log_v("PostArg Value: %s", argValue.c_str());
 
-            RequestArgument& arg = _postArgs[_postArgsLen++];
-            arg.key = argName;
-            arg.value = argValue;
+            if (_postArgsLen >= WEBSERVER_MAX_POST_ARGS) {
+              // TODO: Forward error to user
+              // However this library doesn't have any way of forwarding parser errors to users
+              log_v("Too many PostArgs (max: %d) in request, the rest of the args will be ignored!", WEBSERVER_MAX_POST_ARGS);
+            } else {
+              RequestArgument& arg = _postArgs[_postArgsLen++];
+              arg.key = argName;
+              arg.value = argValue;
+            }
 
             if (line == ("--"+boundary+"--")){
               log_v("Done Parsing POST");
