filter: avoid integer overflow in authenticate_post
ctx.env.content_length is an unsigned int, coming from the CONTENT_LENGTH environment variable, which is parsed by strtoul. The HTTP/1.1 spec says that "any Content-Length greater than or equal to zero is a valid value." By storing this into an int, we potentially overflow it, resulting in the following bounding check failing, leading to a buffer overflow. Reported-by: Erik Cabetas <Erik@cabetas.com> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
This commit is contained in:
parent
ffe09621f2
commit
4458abf641
2
cgit.c
2
cgit.c
@ -651,7 +651,7 @@ static inline void open_auth_filter(const char *function)
|
|||||||
static inline void authenticate_post(void)
|
static inline void authenticate_post(void)
|
||||||
{
|
{
|
||||||
char buffer[MAX_AUTHENTICATION_POST_BYTES];
|
char buffer[MAX_AUTHENTICATION_POST_BYTES];
|
||||||
int len;
|
unsigned int len;
|
||||||
|
|
||||||
open_auth_filter("authenticate-post");
|
open_auth_filter("authenticate-post");
|
||||||
len = ctx.env.content_length;
|
len = ctx.env.content_length;
|
||||||
|
Loading…
Reference in New Issue
Block a user