ioLibrary_Driver icon indicating copy to clipboard operation
ioLibrary_Driver copied to clipboard
verified publisher icon Wiznet

Code bug found

Open ulri-me opened this issue 3 years ago • 0 comments

Dear WizNet developers,

I think I found a code bug in file Internet/httpServer/httpServer.c at line 149 onwards:

if ((len = getSn_RX_RSR(s)) > 0)
{
    if (len > DATA_BUF_SIZE) len = DATA_BUF_SIZE;
    len = recv(s, (uint8_t *)http_request, len);

    *(((uint8_t *)http_request) + len) = '\0';

The bug is that the variable http_request contains a pointer to receive buffer with DATA_BUF_SIZE elements. So if len is set to DATA_BUF_SIZE then the last line would write to data which does not belong to http_request buffer. So it's an invalid memory write in essence.

ulri-me avatar Jan 06 '23 10:01 ulri-me