[+] Fix: Enhance request parsing to avoid hq parsing error

Sy0307 · Sy0307 · commit 2c3105685eb8 · 2025-11-24T16:35:23.000+08:00
diff --git a/demo/xqc_hq_request.c b/demo/xqc_hq_request.c
@@ -231,13 +231,27 @@ ssize_t
 xqc_hq_parse_req(xqc_hq_request_t *hqr, char *res, size_t sz, uint8_t *fin)
 {
     char method[16] = {0};
-    int ret = sscanf(hqr->req_recv_buf, "%s %s", method, res);
+    char fmt[32] = {0};
+    size_t method_cap = sizeof(method) - 1;
+    size_t res_cap;
+    int ret;
+    size_t request_line_len;
+
+    if (sz <= 1) {
+        PRINT_LOG("|invalid resource buffer size|sz:%zu|", sz);
+        return -XQC_EPROTO;
+    }
+
+    res_cap = sz - 1;
+    snprintf(fmt, sizeof(fmt), "%%%zus %%%zus", method_cap, res_cap);
+
+    ret = sscanf((char *)hqr->req_recv_buf, fmt, method, res);
     if (ret <= 0) {
         PRINT_LOG("|parse hq request failed: %s", hqr->req_recv_buf);
         return -XQC_EPROTO;
     }
 
-    int request_line_len = strlen(method) + strlen(res) + 1; /* method + ' ' + path */
+    request_line_len = strlen(method) + strlen(res) + 1; /* method + ' ' + path */
     if (request_line_len + 2 <= hqr->recv_buf_len
         && (*(hqr->req_recv_buf + request_line_len) == '\r')
         && (*(hqr->req_recv_buf + request_line_len + 1) == '\n'))
@@ -284,6 +298,12 @@ xqc_hq_request_recv_req(xqc_hq_request_t *hqr, char *res_buf, size_t buf_sz, uin
     } while (read > 0 && !hqr->fin);
 
 
+    if (hqr->recv_cnt >= hqr->recv_buf_len) {
+        PRINT_LOG("|hq request too long|len:%zu|", hqr->recv_cnt);
+        return -XQC_EPROTO;
+    }
+    hqr->req_recv_buf[hqr->recv_cnt] = '\0';
+
     if (NULL == hqr->resource_buf) {
         hqr->resource_buf = xqc_malloc(XQC_HQ_REQUEST_RESOURCE_MAX_LEN);
         if (NULL == hqr->resource_buf) {
