From: Kp <kp@valhallalegends.com>
Date: Sat, 13 Dec 2008 03:38:54 +0000 (-0600)
Subject: HTTP: fix stack overwrite due to format string error.
X-Git-Tag: silc.toolkit.1.1.9~6^2~8
X-Git-Url: http://git.silcnet.org/gitweb/?p=silc.git;a=commitdiff_plain;h=b2b91b074b6701455053425b583a6fd0beedc8cc

HTTP: fix stack overwrite due to format string error.

On AMD64, %lu refers to a 64-bit unsigned value, but the address passed
to sscanf points to a 32-bit unsigned value.  This causes an adjoining
value on the stack to be overwritten with data from the converted
integer.  Fix the format string to match the size of the supplied value,
and remove the pointer cast.
---

diff --git a/lib/silchttp/silchttpserver.c b/lib/silchttp/silchttpserver.c
index cd94c407..e83d2f37 100644
--- a/lib/silchttp/silchttpserver.c
+++ b/lib/silchttp/silchttpserver.c
@@ -194,7 +194,7 @@ static SilcBool silc_http_server_parse(SilcHttpServer httpd,
 
     /* Check we have received all data */
     cl = silc_mime_get_field(conn->curheaders, "Content-Length");
-    if (cl && sscanf(cl, "%lu", (unsigned long *)&cll) == 1) {
+    if (cl && sscanf(cl, "%u", &cll) == 1) {
       if (data_len < cll) {
 	/* More data to come */
 	silc_mime_free(conn->curheaders);