From: Aaron Bannert Date: Wed, 29 May 2002 06:42:58 +0000 (+0000) Subject: Properly detect overflow when reading the hex chunk lines. X-Git-Tag: 2.0.37~212 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=0310c2dff7fcaa09bd61bafee1db182fd3c491b8;p=apache Properly detect overflow when reading the hex chunk lines. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@95342 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/CHANGES b/CHANGES index 0f97c22f55..83421d429a 100644 --- a/CHANGES +++ b/CHANGES @@ -1,5 +1,8 @@ Changes with Apache 2.0.37 + *) Detect overflow when reading the hex bytes forming a chunk line. + [Aaron Bannert] + *) Allow RewriteMap prg:'s to take command-line arguments. PR 8464. [James Tait ] diff --git a/modules/http/http_protocol.c b/modules/http/http_protocol.c index cab5984578..0871a1c69b 100644 --- a/modules/http/http_protocol.c +++ b/modules/http/http_protocol.c @@ -859,7 +859,7 @@ apr_status_t ap_http_filter(ap_filter_t *f, apr_bucket_brigade *b, apr_brigade_flatten(bb, line, &len); ctx->remaining = get_chunk_size(line); - /* Detect invalid chunk sizes. */ + /* Detect chunksize error (such as overflow) */ if (ctx->remaining < 0) { apr_brigade_cleanup(bb); e = ap_bucket_error_create(HTTP_REQUEST_ENTITY_TOO_LARGE, NULL, @@ -908,7 +908,7 @@ apr_status_t ap_http_filter(ap_filter_t *f, apr_bucket_brigade *b, apr_brigade_flatten(bb, line, &len); ctx->remaining = get_chunk_size(line); - /* Detect invalid chunk sizes. */ + /* Detect chunksize error (such as overflow) */ if (ctx->remaining < 0) { apr_brigade_cleanup(bb); e = ap_bucket_error_create(HTTP_REQUEST_ENTITY_TOO_LARGE, @@ -1690,8 +1690,9 @@ AP_DECLARE(int) ap_should_client_block(request_rec *r) static long get_chunk_size(char *b) { long chunksize = 0; + size_t chunkbits = sizeof(long) * 8; - while (apr_isxdigit(*b)) { + while (apr_isxdigit(*b) && (chunkbits > 0)) { int xvalue = 0; if (*b >= '0' && *b <= '9') { @@ -1705,8 +1706,13 @@ static long get_chunk_size(char *b) } chunksize = (chunksize << 4) | xvalue; + chunkbits -= 4; ++b; } + if (apr_isxdigit(*b) && (chunkbits <= 0)) { + /* overflow */ + return -1; + } return chunksize; }