Check for WinHTTP response buffer overflow

glpi-project · May 7, 2024 · 646d6d7 · 646d6d7
1 parent fc6f485
commit 646d6d7
Showing 1 changed file with 17 additions and 0 deletions.
diff --git a/GLPI-AgentMonitor.cpp b/GLPI-AgentMonitor.cpp
@@ -238,12 +238,29 @@ VOID CALLBACK WinHttpCallback(HINTERNET hInternet, DWORD_PTR dwContext, DWORD dw
             DWORD dwSize = *(LPDWORD)lpvStatusInfo;
             DWORD dwDownloaded;
             CHAR szResponse[128] = "";
+            DWORD dwResponseLen = sizeof(szResponse);
+
+            // If the response size is greater than expected, set "Agent not responding" string and close the WinHTTP handle
+            if (dwSize >= dwResponseLen) {
+                LoadString(hInst, IDS_ERR_NOTRESPONDING, szAgStatus, sizeof(szAgStatus) / sizeof(WCHAR));
+                SetDlgItemText((HWND)dwContext, IDC_AGENTSTATUS, szAgStatus);
+                CloseWinHttpRequest(hInternet);
+                break;
+            }
 
             if (dwSize == 0 || !WinHttpReadData(hInternet, &szResponse, dwSize, &dwDownloaded)) {
                 CloseWinHttpRequest(hInternet);
                 break;
             }
 
+            // If the number of downloaded bytes is equal or greater than expected, set "Agent not responding" string and close the WinHTTP handle
+            if(dwDownloaded >= dwResponseLen) {
+                LoadString(hInst, IDS_ERR_NOTRESPONDING, szAgStatus, sizeof(szAgStatus) / sizeof(WCHAR));
+                SetDlgItemText((HWND)dwContext, IDC_AGENTSTATUS, szAgStatus);
+                CloseWinHttpRequest(hInternet);
+                break;
+            }
+
             // Set last character to null
             szResponse[dwDownloaded] = '\0';