Skip to content

Commit 16e1918

Browse files
everslickeverslick
authored
ESP8266WebServer - fix possible memory leak in request argument handling (#9076)
* fix possible leak of _postArgs array in case of returning early from _parseForm(). * don't use _postArgs member, but instead use a new local variable postArgs instead. * same for _postArgsLen member vs.local postArgsLen. * remove useless NULL pointer check before delete(). * Remove _postArgs member from ESP8266WebServer.h * Remove searching through always empty _postArgs array in ESP8266WebServer-impl.h
1 parent de1029f commit 16e1918

File tree

3 files changed

+11
-27
lines changed

3 files changed

+11
-27
lines changed

libraries/ESP8266WebServer/src/ESP8266WebServer-impl.h

-8
Original file line numberDiff line numberDiff line change
@@ -590,10 +590,6 @@ const String& ESP8266WebServerTemplate<ServerType>::pathArg(unsigned int i) cons
590590

591591
template <typename ServerType>
592592
const String& ESP8266WebServerTemplate<ServerType>::arg(const String& name) const {
593-
for (int j = 0; j < _postArgsLen; ++j) {
594-
if ( _postArgs[j].key == name )
595-
return _postArgs[j].value;
596-
}
597593
for (int i = 0; i < _currentArgCount + _currentArgsHavePlain; ++i) {
598594
if ( _currentArgs[i].key == name )
599595
return _currentArgs[i].value;
@@ -622,10 +618,6 @@ int ESP8266WebServerTemplate<ServerType>::args() const {
622618

623619
template <typename ServerType>
624620
bool ESP8266WebServerTemplate<ServerType>::hasArg(const String& name) const {
625-
for (int j = 0; j < _postArgsLen; ++j) {
626-
if (_postArgs[j].key == name)
627-
return true;
628-
}
629621
for (int i = 0; i < _currentArgCount + _currentArgsHavePlain; ++i) {
630622
if (_currentArgs[i].key == name)
631623
return true;

libraries/ESP8266WebServer/src/ESP8266WebServer.h

+1-3
Original file line numberDiff line numberDiff line change
@@ -323,8 +323,6 @@ class ESP8266WebServerTemplate
323323
RequestArgument* _currentArgs = nullptr;
324324
int _currentArgsHavePlain = 0;
325325
std::unique_ptr<HTTPUpload> _currentUpload;
326-
int _postArgsLen = 0;
327-
RequestArgument* _postArgs = nullptr;
328326

329327
int _headerKeysCount = 0;
330328
RequestArgument* _currentHeaders = nullptr;
@@ -352,4 +350,4 @@ class ESP8266WebServerTemplate
352350
using ESP8266WebServer = esp8266webserver::ESP8266WebServerTemplate<WiFiServer>;
353351
using RequestHandler = esp8266webserver::RequestHandler<WiFiServer>;
354352

355-
#endif //ESP8266WEBSERVER_H
353+
#endif //ESP8266WEBSERVER_H

libraries/ESP8266WebServer/src/Parsing-impl.h

+10-16
Original file line numberDiff line numberDiff line change
@@ -358,9 +358,8 @@ bool ESP8266WebServerTemplate<ServerType>::_parseForm(ClientType& client, const
358358
client.readStringUntil('\n');
359359
//start reading the form
360360
if (line == ("--"+boundary)){
361-
if(_postArgs) delete[] _postArgs;
362-
_postArgs = new RequestArgument[WEBSERVER_MAX_POST_ARGS];
363-
_postArgsLen = 0;
361+
std::unique_ptr<RequestArgument[]> postArgs(new RequestArgument[WEBSERVER_MAX_POST_ARGS]);
362+
int postArgsLen = 0;
364363
while(1){
365364
String argName;
366365
String argValue;
@@ -408,7 +407,7 @@ bool ESP8266WebServerTemplate<ServerType>::_parseForm(ClientType& client, const
408407
}
409408
DBGWS("PostArg Value: %s\n\n", argValue.c_str());
410409

411-
RequestArgument& arg = _postArgs[_postArgsLen++];
410+
RequestArgument& arg = postArgs[postArgsLen++];
412411
arg.key = argName;
413412
arg.value = argValue;
414413

@@ -488,25 +487,20 @@ bool ESP8266WebServerTemplate<ServerType>::_parseForm(ClientType& client, const
488487
}
489488

490489
int iarg;
491-
int totalArgs = ((WEBSERVER_MAX_POST_ARGS - _postArgsLen) < _currentArgCount)?(WEBSERVER_MAX_POST_ARGS - _postArgsLen):_currentArgCount;
490+
int totalArgs = ((WEBSERVER_MAX_POST_ARGS - postArgsLen) < _currentArgCount)?(WEBSERVER_MAX_POST_ARGS - postArgsLen):_currentArgCount;
492491
for (iarg = 0; iarg < totalArgs; iarg++){
493-
RequestArgument& arg = _postArgs[_postArgsLen++];
492+
RequestArgument& arg = postArgs[postArgsLen++];
494493
arg.key = _currentArgs[iarg].key;
495494
arg.value = _currentArgs[iarg].value;
496495
}
497-
if (_currentArgs) delete[] _currentArgs;
498-
_currentArgs = new RequestArgument[_postArgsLen];
499-
for (iarg = 0; iarg < _postArgsLen; iarg++){
496+
delete[] _currentArgs;
497+
_currentArgs = new RequestArgument[postArgsLen];
498+
for (iarg = 0; iarg < postArgsLen; iarg++){
500499
RequestArgument& arg = _currentArgs[iarg];
501-
arg.key = _postArgs[iarg].key;
502-
arg.value = _postArgs[iarg].value;
500+
arg.key = postArgs[iarg].key;
501+
arg.value = postArgs[iarg].value;
503502
}
504503
_currentArgCount = iarg;
505-
if (_postArgs) {
506-
delete[] _postArgs;
507-
_postArgs = nullptr;
508-
_postArgsLen = 0;
509-
}
510504
return true;
511505
}
512506
DBGWS("Error: line: %s\n", line.c_str());

0 commit comments

Comments
 (0)