From 646d6d78c2c6bd5be6aa8cd9a28dcc3aea1486e9 Mon Sep 17 00:00:00 2001
From: Leonardo Bernardes <58712628+redddcyclone@users.noreply.github.com>
Date: Mon, 22 Apr 2024 08:58:19 -0300
Subject: [PATCH] Check for WinHTTP response buffer overflow

---
 GLPI-AgentMonitor.cpp | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/GLPI-AgentMonitor.cpp b/GLPI-AgentMonitor.cpp
index df21e2b..8d20107 100644
--- a/GLPI-AgentMonitor.cpp
+++ b/GLPI-AgentMonitor.cpp
@@ -238,12 +238,29 @@ VOID CALLBACK WinHttpCallback(HINTERNET hInternet, DWORD_PTR dwContext, DWORD dw
             DWORD dwSize = *(LPDWORD)lpvStatusInfo;
             DWORD dwDownloaded;
             CHAR szResponse[128] = "";
+            DWORD dwResponseLen = sizeof(szResponse);
+
+            // If the response size is greater than expected, set "Agent not responding" string and close the WinHTTP handle
+            if (dwSize >= dwResponseLen) {
+                LoadString(hInst, IDS_ERR_NOTRESPONDING, szAgStatus, sizeof(szAgStatus) / sizeof(WCHAR));
+                SetDlgItemText((HWND)dwContext, IDC_AGENTSTATUS, szAgStatus);
+                CloseWinHttpRequest(hInternet);
+                break;
+            }
 
             if (dwSize == 0 || !WinHttpReadData(hInternet, &szResponse, dwSize, &dwDownloaded)) {
                 CloseWinHttpRequest(hInternet);
                 break;
             }
 
+            // If the number of downloaded bytes is equal or greater than expected, set "Agent not responding" string and close the WinHTTP handle
+            if(dwDownloaded >= dwResponseLen) {
+                LoadString(hInst, IDS_ERR_NOTRESPONDING, szAgStatus, sizeof(szAgStatus) / sizeof(WCHAR));
+                SetDlgItemText((HWND)dwContext, IDC_AGENTSTATUS, szAgStatus);
+                CloseWinHttpRequest(hInternet);
+                break;
+            }
+
             // Set last character to null
             szResponse[dwDownloaded] = '\0';