rpms / http-parser

Clone
Source Code
GIT

Blame SOURCES/CVE-2018-7159-reject-interior-blanks-in-Content-Length-backport.patch

c7 c7-beta c8 c8-beta c8s c9 c9-beta
  1.   c7
  2.   SOURCES
  3.   CVE-2018-7159-reject-interior-blanks-in-Content-Length-backport.patch
Blob History Raw
93e6fe 
diff -up http-parser-2.7.1/http_parser.c.cve http-parser-2.7.1/http_parser.c
93e6fe 
--- http-parser-2.7.1/http_parser.c.cve	2019-03-23 08:58:04.459272497 +0100
93e6fe 
+++ http-parser-2.7.1/http_parser.c	2019-03-23 08:58:21.204279947 +0100
93e6fe 
@@ -376,6 +376,8 @@ enum header_states
93e6fe
93e6fe 
   , h_connection
93e6fe 
   , h_content_length
93e6fe 
+  , h_content_length_num
93e6fe 
+  , h_content_length_ws
93e6fe 
   , h_transfer_encoding
93e6fe 
   , h_upgrade
93e6fe
93e6fe 
@@ -1478,6 +1480,7 @@ reexecute:
93e6fe
93e6fe 
             parser->flags |= F_CONTENTLENGTH;
93e6fe 
             parser->content_length = ch - '0';
93e6fe 
+            parser->header_state = h_content_length_num;
93e6fe 
             break;
93e6fe
93e6fe 
           case h_connection:
93e6fe 
@@ -1565,10 +1568,18 @@ reexecute:
93e6fe 
               break;
93e6fe
93e6fe 
             case h_content_length:
93e6fe 
+              if (ch == ' ') break;
93e6fe 
+              h_state = h_content_length_num;
93e6fe 
+              /* FALLTHROUGH */
93e6fe 
+
93e6fe 
+            case h_content_length_num:
93e6fe 
             {
93e6fe 
               uint64_t t;
93e6fe
93e6fe 
-              if (ch == ' ') break;
93e6fe 
+              if (ch == ' ') {
93e6fe 
+                h_state = h_content_length_ws;
93e6fe 
+                break;
93e6fe 
+              }
93e6fe
93e6fe 
               if (UNLIKELY(!IS_NUM(ch))) {
93e6fe 
                 SET_ERRNO(HPE_INVALID_CONTENT_LENGTH);
93e6fe 
@@ -1591,6 +1602,12 @@ reexecute:
93e6fe 
               break;
93e6fe 
             }
93e6fe
93e6fe 
+            case h_content_length_ws:
93e6fe 
+              if (ch == ' ') break;
93e6fe 
+              SET_ERRNO(HPE_INVALID_CONTENT_LENGTH);
93e6fe 
+              parser->header_state = h_state;
93e6fe 
+              goto error;
93e6fe 
+
93e6fe 
             /* Transfer-Encoding: chunked */
93e6fe 
             case h_matching_transfer_encoding_chunked:
93e6fe 
               parser->index++;
93e6fe 
diff -up http-parser-2.7.1/test.c.cve http-parser-2.7.1/test.c
93e6fe 
--- http-parser-2.7.1/test.c.cve	2019-03-23 08:57:50.851266439 +0100
93e6fe 
+++ http-parser-2.7.1/test.c	2019-03-23 08:58:25.545281880 +0100
93e6fe 
@@ -3947,6 +3947,27 @@ main (void)
93e6fe 
   test_invalid_header_field_token_error(HTTP_RESPONSE);
93e6fe 
   test_invalid_header_field_content_error(HTTP_RESPONSE);
93e6fe
93e6fe 
+  test_simple_type(
93e6fe 
+      "POST / HTTP/1.1\r\n"
93e6fe 
+      "Content-Length:  42 \r\n"  // Note the surrounding whitespace.
93e6fe 
+      "\r\n",
93e6fe 
+      HPE_OK,
93e6fe 
+      HTTP_REQUEST);
93e6fe 
+
93e6fe 
+  test_simple_type(
93e6fe 
+      "POST / HTTP/1.1\r\n"
93e6fe 
+      "Content-Length: 4 2\r\n"
93e6fe 
+      "\r\n",
93e6fe 
+      HPE_INVALID_CONTENT_LENGTH,
93e6fe 
+      HTTP_REQUEST);
93e6fe 
+
93e6fe 
+  test_simple_type(
93e6fe 
+      "POST / HTTP/1.1\r\n"
93e6fe 
+      "Content-Length: 13 37\r\n"
93e6fe 
+      "\r\n",
93e6fe 
+      HPE_INVALID_CONTENT_LENGTH,
93e6fe 
+      HTTP_REQUEST);
93e6fe 
+
93e6fe 
   //// RESPONSES
93e6fe
93e6fe 
   for (i = 0; i < response_count; i++) {

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation