From bf4ef2284b4a9a6d97d0c3d075d3b35ef87f7c2c Mon Sep 17 00:00:00 2001
From: z3APA3A <3APA3A@3proxy.ru>
Date: Thu, 1 Aug 2019 16:46:22 +0300
Subject: [PATCH] Fix: out-of-bounds write and few more bugs in 'admin'
 configuration upload

---
 src/webadmin.c | 20 ++++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/src/webadmin.c b/src/webadmin.c
index 1d9ebfd..4ab39bf 100644
--- a/src/webadmin.c
+++ b/src/webadmin.c
@@ -10,7 +10,7 @@
 
 #define RETURN(xxx) { param->res = xxx; goto CLEANRET; }
 
-#define LINESIZE 2048
+#define LINESIZE 65536
 
 extern FILE *writable;
 FILE * confopen();
@@ -342,7 +342,7 @@ void * adminchild(struct clientparam* param) {
  char *sb;
  char *req = NULL;
  struct printparam pp;
- int contentlen = 0;
+ unsigned contentlen = 0;
  int isform = 0;
  int limited = 0;
 
@@ -394,7 +394,8 @@ void * adminchild(struct clientparam* param) {
 	else if(i > 15 && (!strncasecmp(buf, "content-length:", 15))){
 		sb = buf + 15;
 		while(isspace(*sb))sb++;
-		contentlen = atoi(sb);
+		sscanf(sb, "%u", &contentlen);
+		if(contentlen > LINESIZE*1024) contentlen = 0;
 	}
 	else if(i > 13 && (!strncasecmp(buf, "content-type:", 13))){
 		sb = buf + 13;
@@ -525,7 +526,7 @@ void * adminchild(struct clientparam* param) {
 				break;
 			}
 				printstr(&pp, "<h3>Please be careful editing config file remotely</h3>");
-				printstr(&pp, "<form method=\"POST\" action=\"/U\"><textarea cols=\"80\" rows=\"30\" name=\"conffile\">");
+				printstr(&pp, "<form method=\"POST\" action=\"/U\" enctype=\"application/x-www-form-urlencoded\"><textarea cols=\"80\" rows=\"30\" name=\"conffile\">");
 				while(fgets(buf, 256, fp)){
 					printstr(&pp, buf);
 				}
@@ -535,24 +536,23 @@ void * adminchild(struct clientparam* param) {
 		}
 	case 'U':
 		{
-			int l=0;
+			unsigned l=0;
 			int error = 0;
 
-			if(!writable || fseek(writable, 0, 0)){
+			if(!writable || !contentlen || fseek(writable, 0, 0)){
 				error = 1;
 			}
-			while((i = sockgetlinebuf(param, CLIENT, (unsigned char *)buf, LINESIZE - 1, '+', conf.timeouts[STRING_S])) > 0){
+			while(l < contentlen && (i = sockgetlinebuf(param, CLIENT, (unsigned char *)buf, (contentlen - l) > LINESIZE - 1?LINESIZE - 1:contentlen - l, '+', conf.timeouts[STRING_S])) > 0){
 				if(i > (contentlen - l)) i = (contentlen - l);
-				buf[i] = 0;
 				if(!l){
-					if(strncasecmp(buf, "conffile=", 9)) error = 1;
+					if(i<9 || strncasecmp(buf, "conffile=", 9)) error = 1;
 				}
 				if(!error){
+					buf[i] = 0;
 					decodeurl((unsigned char *)buf, 1);
 					fprintf(writable, "%s", l? buf : buf + 9);
 				}
 				l += i;
-				if(l >= contentlen) break;
 			}
 			if(writable && !error){
 				fflush(writable);