From d1c49a48eabd5276c756fea9dea430c7625dd989 Mon Sep 17 00:00:00 2001
From: stderr64 <linuxwizard@voidnet.dy.fi>
Date: Sun, 17 Sep 2023 18:26:03 +0300
Subject: Added Makefile defines to limit HTTP header length and request body
 length to avoid allocating too much memory on large requests

---
 Makefile       | 6 ++++--
 http_headers.h | 6 +++---
 2 files changed, 7 insertions(+), 5 deletions(-)

diff --git a/Makefile b/Makefile
index cf8b416..d0450d4 100644
--- a/Makefile
+++ b/Makefile
@@ -2,9 +2,11 @@ CC=gcc
 MAX_PEEK_BYTES=512000
 MAX_RECV_BYTES=512000
 MAX_WEBHOOK_OUTPUT_LENGTH=512000
+MAX_HEADER_LENGTH=32767
+MAX_CONTENT_LENGTH=524288
 
 rel:
-	$(CC) -DMAX_PEEK_BYTES=${MAX_PEEK_BYTES} -DMAX_RECV_BYTES=${MAX_RECV_BYTES} -DMAX_WEBHOOK_OUTPUT_LENGTH=${MAX_WEBHOOK_OUTPUT_LENGTH} -Wall -pedantic-errors -Werror -lssl -lcrypto -lcjson cwebhook.c -o cwebhook
+	$(CC) -DMAX_PEEK_BYTES=${MAX_PEEK_BYTES} -DMAX_RECV_BYTES=${MAX_RECV_BYTES} -DMAX_HEADER_LENGTH=${MAX_HEADER_LENGTH} -DMAX_CONTENT_LENGTH=${MAX_CONTENT_LENGTH} -DMAX_WEBHOOK_OUTPUT_LENGTH=${MAX_WEBHOOK_OUTPUT_LENGTH} -Wall -pedantic-errors -Werror -lssl -lcrypto -lcjson cwebhook.c -o cwebhook
 
 debug:
-	$(CC) -DMAX_PEEK_BYTES=${MAX_PEEK_BYTES} -DMAX_RECV_BYTES=${MAX_RECV_BYTES} -DMAX_WEBHOOK_OUTPUT_LENGTH=${MAX_WEBHOOK_OUTPUT_LENGTH} -Wall -pedantic-errors -Werror -ggdb -lssl -lcrypto -lcjson cwebhook.c -o cwebhook
+	$(CC) -DMAX_PEEK_BYTES=${MAX_PEEK_BYTES} -DMAX_RECV_BYTES=${MAX_RECV_BYTES} -DMAX_HEADER_LENGTH=${MAX_HEADER_LENGTH} -DMAX_CONTENT_LENGTH=${MAX_CONTENT_LENGTH} -DMAX_WEBHOOK_OUTPUT_LENGTH=${MAX_WEBHOOK_OUTPUT_LENGTH} -Wall -pedantic-errors -Werror -ggdb -lssl -lcrypto -lcjson cwebhook.c -o cwebhook
diff --git a/http_headers.h b/http_headers.h
index f3aa397..d8171e8 100644
--- a/http_headers.h
+++ b/http_headers.h
@@ -12,7 +12,7 @@ int get_request_data( http_request_data_t *hdt, char *req_contents ){
     if ( (size_t)strlen(hdt->request_copy) != hdt->request_size )
         return REQ_READ_ERROR;
     hdt->tok_current = strtok_r( hdt->request_copy, "\r\n", &hdt->tok_prev );
-    if ( hdt->tok_current == NULL )
+    if ( hdt->tok_current == NULL || (uint64_t)strlen(hdt->tok_current) >= MAX_HEADER_LENGTH )
         return REQ_READ_ERROR;
     if ( strstr(hdt->tok_current, "GET /") == NULL && strstr(hdt->tok_current, "POST /") == NULL )
         return REQ_READ_ERROR;
@@ -39,12 +39,12 @@ int get_request_data( http_request_data_t *hdt, char *req_contents ){
     if ( (size_t)strlen(hdt->request_copy) != hdt->request_size )
         return REQ_READ_ERROR;
     char *request_body_begin = strstr( hdt->request_copy, "\r\n\r\n" );
-    if ( request_body_begin == NULL ){
+    if ( request_body_begin == NULL || (uint64_t)strlen(request_body_begin) >= MAX_CONTENT_LENGTH ){
         hdt->request_body = NULL;
         return REQ_READ_SUCCESS;
     }
     hdt->tok_current = strtok_r( request_body_begin, "\r\n\r\n", &hdt->tok_prev );
-    if ( hdt->tok_current == NULL ){
+    if ( hdt->tok_current == NULL || (uint64_t)strlen(hdt->tok_current) >= MAX_CONTENT_LENGTH ){
         hdt->request_body = NULL;
         return REQ_READ_SUCCESS;
     }
-- 
cgit v1.2.3-86-g962b