Browse code

core: safety check for content-lenght size in tcp read

- avoid getting negative
- upon a report by Kevin Wojtysiak

Daniel-Constantin Mierla authored on 11/04/2013 22:50:24
Showing 1 changed files
... ...
@@ -797,11 +797,25 @@ int tcp_read_headers(struct tcp_connection *c, int* read_flags)
797 797
 					case '\r':
798 798
 					case ' ':
799 799
 					case '\t': /* FIXME: check if line contains only WS */
800
+						if(r->content_len<0) {
801
+							LOG(L_ERR, "bad Content-Length header value %d in"
802
+									" state %d\n", r->content_len, r->state);
803
+							r->content_len=0;
804
+							r->error=TCP_REQ_BAD_LEN;
805
+							r->state=H_SKIP; /* skip now */
806
+						}
800 807
 						r->state=H_SKIP;
801 808
 						r->flags|=F_TCP_REQ_HAS_CLEN;
802 809
 						break;
803 810
 					case '\n':
804 811
 						/* end of line, parse successful */
812
+						if(r->content_len<0) {
813
+							LOG(L_ERR, "bad Content-Length header value %d in"
814
+									" state %d\n", r->content_len, r->state);
815
+							r->content_len=0;
816
+							r->error=TCP_REQ_BAD_LEN;
817
+							r->state=H_SKIP; /* skip now */
818
+						}
805 819
 						r->state=H_LF;
806 820
 						r->flags|=F_TCP_REQ_HAS_CLEN;
807 821
 						break;