diff options
author | Jason A. Donenfeld <Jason@zx2c4.com> | 2015-11-24 11:28:00 +0100 |
---|---|---|
committer | Jason A. Donenfeld <Jason@zx2c4.com> | 2015-11-24 11:31:43 +0100 |
commit | 4458abf64172a62b92810c2293450106e6dfc763 (patch) | |
tree | 92a3f3587e85c11c77d11769a45d55ddb2fd81a6 | |
parent | ffe09621f2626c692a16b249a52112ba8070aa79 (diff) | |
download | pkg-cgit-4458abf64172a62b92810c2293450106e6dfc763.zip pkg-cgit-4458abf64172a62b92810c2293450106e6dfc763.tar.gz pkg-cgit-4458abf64172a62b92810c2293450106e6dfc763.tar.bz2 |
filter: avoid integer overflow in authenticate_post
ctx.env.content_length is an unsigned int, coming from the
CONTENT_LENGTH environment variable, which is parsed by strtoul. The
HTTP/1.1 spec says that "any Content-Length greater than or equal to
zero is a valid value." By storing this into an int, we potentially
overflow it, resulting in the following bounding check failing, leading
to a buffer overflow.
Reported-by: Erik Cabetas <Erik@cabetas.com>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
-rw-r--r-- | cgit.c | 2 |
1 files changed, 1 insertions, 1 deletions
@@ -651,7 +651,7 @@ static inline void open_auth_filter(const char *function) static inline void authenticate_post(void) { char buffer[MAX_AUTHENTICATION_POST_BYTES]; - int len; + unsigned int len; open_auth_filter("authenticate-post"); len = ctx.env.content_length; |