From e539846266021ef9c3ae07369a2b857174727de3 Mon Sep 17 00:00:00 2001 From: Arvid Norberg Date: Mon, 29 Jul 2019 22:09:15 -0700 Subject: [PATCH] fix integer overflow in chunked http parser --- ChangeLog | 1 + src/http_parser.cpp | 3 ++- test/test_http_parser.cpp | 18 ++++++++++++++++++ 3 files changed, 21 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index a9745286f..93dbb7f70 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,4 @@ + * fix integer overflow in http parser * improve sanitation of symlinks, to support more complex link targets * add DHT routing table affinity for BEP 42 nodes * add torrent_info constructor overloads to control torrent file limits diff --git a/src/http_parser.cpp b/src/http_parser.cpp index 0fb0cc9e3..569ddf8bf 100644 --- a/src/http_parser.cpp +++ b/src/http_parser.cpp @@ -378,7 +378,8 @@ restart_response: int header_size; if (parse_chunk_header(buf, &chunk_size, &header_size)) { - if (chunk_size < 0) + if (chunk_size < 0 + || chunk_size > std::numeric_limits::max() - m_cur_chunk_end - header_size) { m_state = error_state; error = true; diff --git a/test/test_http_parser.cpp b/test/test_http_parser.cpp index 0855351bb..a934f3113 100644 --- a/test/test_http_parser.cpp +++ b/test/test_http_parser.cpp @@ -529,6 +529,24 @@ TORRENT_TEST(chunked_encoding) TEST_CHECK(body == span("test12340123456789abcdef", 24)); } +TORRENT_TEST(chunked_encoding_overflow) +{ + char const chunked_input[] = + "HTTP/1.1 200 OK\r\n" + "Transfer-Encoding: chunked\r\n" + "\r\n" + "7FFFFFFFFFFFFFBF\r\n"; + + http_parser parser; + int payload; + int protocol; + bool error = false; + std::tie(payload, protocol) = parser.incoming(chunked_input, error); + + // it should have encountered an error + TEST_CHECK(error == true); +} + TORRENT_TEST(invalid_content_length) { char const chunked_input[] =