httpd_g.c

是一个常见路由器升级文件的效验和算法！参考此源码对一些路由器的升级文件（*.bin）进行分析．

#include <stdlib.h>
#include <ctype.h>
#include <config.h>
#include <network.h>
#include <sys/mbuf.h>

#include <http_conf.h>
#include <http_proc.h>
#include <cfg_def.h>
#include <cfg_hdr.h>
#include <flash.h>

#if	(CONFIG_WP32XX_FLASH_SIZE>512)
#define MAX_RECV_CONTENT		(960*1024) /* 1M - 64K boot loader size */
#else
#define MAX_RECV_CONTENT		(448*1024) /* 512K - 64K boot loader size */
#endif

#ifndef	CONFIG_HTTPD_MAX_USERS
	#define USER_NUM_MAX	1
#else
	#if	((CONFIG_HTTPD_MAX_USERS < 1) || (CONFIG_HTTPD_MAX_USERS>4))
		#define USER_NUM_MAX	1
	#else
		#define	USER_NUM_MAX CONFIG_HTTPD_MAX_USERS
	#endif
#endif

struct userinfo_t userinfo[USER_NUM_MAX];
int http_user_num_max = USER_NUM_MAX;

#if (CONFIG_WP32XX_RAM_SIZE > 2)

int add_to_content( http_upload_content** content, char* str, int len )
{
    if ( *content == 0 )
    {
        *content = calloc(1, sizeof(http_upload_content));
        if (*content == 0)
        {
            diag_printf("add_to_content: out of memory\n");
            return -1;
        }
        (*content)->size = len + 500;
        (*content)->buf = malloc((*content)->size);
        (*content)->len = 0;
    }
    else if ( (*content)->len + len >= (*content)->size )
    {
        (*content)->size = (*content)->len + len + 500;
        (*content)->buf = realloc((*content)->buf, (*content)->size);
    }
	
    if ( (*content)->buf == (char*) 0 )
    {
        diag_printf("add_to_content: out of memory\n");
        free(*content);
        *content = 0;
        return -1;
    }
    
    memcpy(&((*content)->buf[(*content)->len]), str, len);
    (*content)->len += len;
    (*content)->buf[(*content)->len] = '\0';
    
    return 0;
}

void free_request(http_req *req)
{	
	if(req->query_tbl)
		free(req->query_tbl);
	if(req->request)
		free(req->request);
	if(req->response)
		free(req->response);
	if (req->content)
	{
        if (req->content->buf)
            free(req->content->buf);
		free(req->content);
	}
}

extern	unsigned int os_mem_ceiling(void);
int content_length_toobig(int length)
{
    int ceiling = os_mem_ceiling();
    return (length > MAX_RECV_CONTENT || length > ceiling);
}

void process_multipart(http_req *req)
{
	char *startp, *strp;
	char *boundary;
	char *varname;
	int remain_len;
	
	
	boundary = strstr(req->content_type, "boundary=");
	boundary += 9;
    
	startp = req->content->buf;
	remain_len = req->content->len;
	
	while(remain_len > 0) 
	{
		if((startp = check_pattern(startp, remain_len, boundary)) == NULL )
			break;
	
		if(startp-4 > req->content->buf)
			*(startp-4) = '\0'; /* \r\n-- */
		
		startp += strlen(boundary);
		
		if(*startp=='-' && *(startp+1)=='-')
			break;  /* end */ /* Roger: This check method is right?? */
		
		startp +=2;
		
		remain_len = req->content->len - (startp - req->content->buf);
		if (!strncasecmp(startp, "Content-Disposition:", 20) ) 
		{
			if((varname = check_pattern(startp, remain_len, "name=\"")) != NULL ) 
			{
					
				/* find out begin of file */
		    	if((strp = check_pattern(startp, remain_len, "\r\n\r\n")) != NULL) 
		    	{
		    		startp = strp+4;
		    	}
		    	else if((strp = check_pattern(startp, remain_len, "\n\n")) != NULL) 
		    	{
		    		startp = strp+2;
		    	}
		    	else 
		    	{
		    		diag_printf("Can not find value of %s\n", varname);
		    		return;
		    	}
		    	varname += 6;
		    	strp = strchr( varname, '"');	
		    	*strp =  '\0';
		    	query_set(req, varname, startp);	
		    }
		}
		remain_len =  req->content->len -(startp - req->content->buf);
	}
}

char *WEB_upload_file(http_req *req, char *filename, int *len)
{
	char *file, *boundary, *endp;
	int rlen;
	
	file = query_getvar( req, filename);
	
	if( !file)
		return NULL;
		
	boundary = strstr(req->content_type, "boundary=");
	boundary += 9;
	
	rlen = req->content->len - (file - req->content->buf);
	if( (endp = check_pattern( file, rlen, boundary)) != NULL) {
		endp -= 4; /* \r\n-- */
		*len = endp - file;
	
		return file;
	}
	else
		return NULL;
}

extern int CFG_put_file(int id, char * file, int len);
int http_put_file(int id, http_upload_content* content, char * file, int len)
{
    return CFG_put_file(id, file, len);
}

void CGI_free_content(http_upload_content *content)
{
    if (content)
    {
        if (content->buf)
            free(content->buf);
        free(content);
    }
}

#else 
/* CONFIG_WP32XX_RAM_SIZE <= 2 */

extern	char *mclrefcnt;
extern  struct	mbstat mbstat;
extern  union	mcluster *mclfree;
int	m_clalloc __P((int, int));

#ifdef CONFIG_HTTP_UPGRADE_SYSMEM
#define MAX_MALLOC_CONTENT_BUF  (CONFIG_HTTP_UPGRADE_SYSMEM*1024)
#else
#define MAX_MALLOC_CONTENT_BUF  (384*1024)
#endif

int add_to_content( http_upload_content** content, char* str, int len )
{
    http_upload_content *current, *next;
    int total_len;
    int copy_len, remain_len = len;
    char *p = str;
    
    if (*content == 0)
    {
        *content = calloc(1, sizeof(http_upload_content));
        if (*content == 0)
        {
            diag_printf("add_to_content: out of memory\n");
            return -1;
        }
    }
    
    if ((*content)->len + remain_len < MAX_MALLOC_CONTENT_BUF)
    {
        total_len = (*content)->len + remain_len;
        if ((*content)->size == 0)
        {
            (*content)->buf = (char *)malloc(total_len+1);
            if (!(*content)->buf)
            {
                diag_printf("add_to_content: malloc failed\n");
                free(*content);
                *content = 0;
                return -1;
            }
        }
        else
        {
            (*content)->buf = (char *)realloc((*content)->buf, total_len+1);
            if (!(*content)->buf)
            {
                diag_printf("add_to_content: realloc failed\n");
                free(*content);
                *content = 0;
                return -1;
            }
        }
        memcpy(&((*content)->buf[(*content)->len]), p, remain_len);
        (*content)->size = total_len + 1;
        (*content)->len = total_len;
        (*content)->buf[(*content)->len] = '\0';
    }
    else
    {
        if ((*content)->len < MAX_MALLOC_CONTENT_BUF)
        {
            (*content)->buf = (char *)realloc((*content)->buf, MAX_MALLOC_CONTENT_BUF);
            if (!(*content)->buf)
            {
                diag_printf("add_to_content: realloc failed\n");
                free(*content);
                *content = 0;
                return -1;
            }
            (*content)->size = MAX_MALLOC_CONTENT_BUF;
            total_len = (*content)->len;
        }
        else
            total_len = 0;
        
        current = *content;
        
        while (remain_len > 0)
        {
            copy_len = current->size - current->len;
            if (copy_len > 0)
            {
                copy_len = (remain_len > copy_len)?copy_len:remain_len;
                memcpy(&(current->buf[current->len]), p, copy_len);
                current->len += copy_len;
                total_len += current->len;
                p += copy_len;
                remain_len -= copy_len;
            }
            else
            {
                total_len += current->len;
            }
            
            if (remain_len == 0)
                break;
            
            if (!current->next)
            {
                next = calloc(1, sizeof(http_upload_content));
                if (!next)
                {
                    diag_printf("add_to_content: out of memory\n");
                    return -1;
                }
                MCLALLOC(next->buf, M_DONTWAIT);
                if (!next->buf)
                {
                    diag_printf("add_to_content: out of cluster\n");
                    free(next);
                    return -1;
                }
                next->type_mcl = 1;    // cluster
                next->size = MCLBYTES;
                current->next = next;
            }
            current = current->next;
        }
    }
    
    return (total_len);
}

void free_request(http_req *req)
{	
	if(req->query_tbl)
		free(req->query_tbl);
	if(req->request)
		free(req->request);
	if(req->response)
		free(req->response);
	if (req->content)
	{
		http_upload_content *next, *current = req->content;
		while (current)
		{
			next = current->next;
            if (current->buf)
            {
                if (current->type_mcl)
                    MCLFREE(current->buf);
                else
                    free(current->buf);
            }
			free(current);
			current = next;
		}
	}
}

int content_length_toobig(int length)
{
    return (length > MAX_RECV_CONTENT);
}

char *check_pattern1(http_upload_content **content, http_upload_content **prev_content, char *sp, char *pattern)
{
	http_upload_content *current = *content;
	http_upload_content *next;
	int pattern_len = strlen(pattern), buf_len;
	char *p = sp;
	//char *p1;
	int i;
	
	while (current)
	{
		if (p >= current->buf && p < current->buf+current->len)
			break;
		*prev_content = current;
		current = current->next;
	}
	
	while (current)
	{
		buf_len = current->len;
		
		//for (; (p - current->buf) <= (buf_len - pattern_len); p++)
		for (; (p + pattern_len) <= (current->buf + buf_len); p++)
		{
			if (memcmp(p, pattern, pattern_len) == 0)
			{
				*content = current;
				return p;
			}
		}
		
		next = current->next;
		if (!next)
			break;
		
		//p1 = next->buf;
		//buf_len = next->len;
		
		//for (i=1; i<pattern_len && buf_len >= pattern_len-i; i++, p++)
		for (i=1; i<pattern_len; i++, p++)
		{
			if (next->len < i)
			{
				//char buf[255];
				//
				//i--;
				//p--;
				//
				//diag_printf("pattern=%s\n", pattern);
				//diag_printf("pattern_len = %d, i=%d\n", pattern_len, i);
				//
				//memcpy(buf, p, pattern_len-i);
				//buf[pattern_len-i] = 0;
				//diag_printf("head=%s\n", buf);
				//
				//memcpy(buf, next->buf, next->len);
				//buf[next->len] = 0;
				//diag_printf("tail=%s\n", buf);
				break;
			}
			
			//if ((memcmp(p, pattern, i) == 0) &&
			//    (memcmp(p1, pattern+i, pattern_len-i) == 0))