From 4458abf64172a62b92810c2293450106e6dfc763 Mon Sep 17 00:00:00 2001 From: "Jason A. Donenfeld" Date: Tue, 24 Nov 2015 11:28:00 +0100 Subject: filter: avoid integer overflow in authenticate_post ctx.env.content_length is an unsigned int, coming from the CONTENT_LENGTH environment variable, which is parsed by strtoul. The HTTP/1.1 spec says that "any Content-Length greater than or equal to zero is a valid value." By storing this into an int, we potentially overflow it, resulting in the following bounding check failing, leading to a buffer overflow. Reported-by: Erik Cabetas Signed-off-by: Jason A. Donenfeld --- cgit.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cgit.c b/cgit.c index 5937b9e..05e5d57 100644 --- a/cgit.c +++ b/cgit.c @@ -651,7 +651,7 @@ static inline void open_auth_filter(const char *function) static inline void authenticate_post(void) { char buffer[MAX_AUTHENTICATION_POST_BYTES]; - int len; + unsigned int len; open_auth_filter("authenticate-post"); len = ctx.env.content_length; -- cgit v1.1