summaryrefslogtreecommitdiff
path: root/file.c
diff options
context:
space:
mode:
authorJo-Philipp Wich <jo@mein.io>2019-12-22 22:32:00 +0100
committerJo-Philipp Wich <jo@mein.io>2019-12-22 22:32:00 +0100
commit5f9ae5738372aaa3a6be2f0a278933563d3f191a (patch)
treec3ce3c43aad6d8dda52567b131031b89b9197ec3 /file.c
parent6b03f9605323df23d12e3876feb466f53f8d50c4 (diff)
client: fix invalid data access through invalid content-length values
An invalid data access can be triggered with an HTTP POST request to a CGI script specifying both `Transfer-Encoding: chunked` and a large negative `Content-Length`. The negative content length is assigned to `r->content_length` in `client_parse_header` and passed as a negative read length to `ustream_consume` in `client_poll_post_data` which will set the internal ustream buffer pointer to an invalid address, causing out of bounds memory reads later on in the code flow. A similar implicit unsigned to signed conversion happens when parsing chunk sizes emitted by a CGI program. Address these issues by rejecting negative values in `r->content_length` after assigning the `strtoul()` result. Reported-by: Jan-Niklas Sohn <jan-niklas.sohn@gmx.de> Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Diffstat (limited to 'file.c')
0 files changed, 0 insertions, 0 deletions