Properly detect overflow when reading the hex chunk lines.

author Aaron Bannert <aaron@apache.org>

Wed, 29 May 2002 06:42:58 +0000 (06:42 +0000)

committer Aaron Bannert <aaron@apache.org>

Wed, 29 May 2002 06:42:58 +0000 (06:42 +0000)
author Aaron Bannert <aaron@apache.org>
Wed, 29 May 2002 06:42:58 +0000 (06:42 +0000)
committer Aaron Bannert <aaron@apache.org>
Wed, 29 May 2002 06:42:58 +0000 (06:42 +0000)
diff --git a/CHANGES b/CHANGES

index 0f97c22f553183da6b027a99dbb3ac87dc2c4c85..83421d429a65ea1c6e59fd81679f802fde6cf5ba 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,5 +1,8 @@
  Changes with Apache 2.0.37
  
+  *) Detect overflow when reading the hex bytes forming a chunk line.
+     [Aaron Bannert]
+
    *) Allow RewriteMap prg:'s to take command-line arguments.  PR 8464.
       [James Tait <JTait@wyrddreams.demon.co.uk>]
  
diff --git a/modules/http/http_protocol.c b/modules/http/http_protocol.c

index cab5984578de88b9e10a7f1d25799be91cfdf4e0..0871a1c69b7f0f57a60051b087ff92dd45b9ebd7 100644 (file)
--- a/modules/http/http_protocol.c
+++ b/modules/http/http_protocol.c
@@ -859,7 +859,7 @@ apr_status_t ap_http_filter(ap_filter_t *f, apr_bucket_brigade *b,
              apr_brigade_flatten(bb, line, &len);
  
              ctx->remaining = get_chunk_size(line);
-            /* Detect invalid chunk sizes. */
+            /* Detect chunksize error (such as overflow) */
              if (ctx->remaining < 0) {
                  apr_brigade_cleanup(bb);
                  e = ap_bucket_error_create(HTTP_REQUEST_ENTITY_TOO_LARGE, NULL,
@@ -908,7 +908,7 @@ apr_status_t ap_http_filter(ap_filter_t *f, apr_bucket_brigade *b,
                  apr_brigade_flatten(bb, line, &len);
                  ctx->remaining = get_chunk_size(line);
  
-                /* Detect invalid chunk sizes. */
+                /* Detect chunksize error (such as overflow) */
                  if (ctx->remaining < 0) {
                      apr_brigade_cleanup(bb);
                      e = ap_bucket_error_create(HTTP_REQUEST_ENTITY_TOO_LARGE,
@@ -1690,8 +1690,9 @@ AP_DECLARE(int) ap_should_client_block(request_rec *r)
  static long get_chunk_size(char *b)
  {
      long chunksize = 0;
+    size_t chunkbits = sizeof(long) * 8;
  
-    while (apr_isxdigit(*b)) {
+    while (apr_isxdigit(*b) && (chunkbits > 0)) {
          int xvalue = 0;
  
          if (*b >= '0' && *b <= '9') {
@@ -1705,8 +1706,13 @@ static long get_chunk_size(char *b)
          }
  
          chunksize = (chunksize << 4) | xvalue;
+        chunkbits -= 4;
          ++b;
      }
+    if (apr_isxdigit(*b) && (chunkbits <= 0)) {
+        /* overflow */
+        return -1;
+    }
  
      return chunksize;
  }
author	Aaron Bannert <aaron@apache.org>
	Wed, 29 May 2002 06:42:58 +0000 (06:42 +0000)
committer	Aaron Bannert <aaron@apache.org>
	Wed, 29 May 2002 06:42:58 +0000 (06:42 +0000)
CHANGES		patch \| blob \| history
modules/http/http_protocol.c		patch \| blob \| history