diff options
| author | Jason A. Donenfeld | 2015-11-24 11:28:00 +0100 |
|---|---|---|
| committer | Jason A. Donenfeld | 2015-11-24 11:31:43 +0100 |
| commit | 4458abf64172a62b92810c2293450106e6dfc763 (patch) | |
| tree | 92a3f3587e85c11c77d11769a45d55ddb2fd81a6 | |
| parent | about-formatting.sh: comment text out of date (diff) | |
| download | cgit-4458abf64172a62b92810c2293450106e6dfc763.tar.gz cgit-4458abf64172a62b92810c2293450106e6dfc763.zip | |
filter: avoid integer overflow in authenticate_post
ctx.env.content_length is an unsigned int, coming from the CONTENT_LENGTH environment variable, which is parsed by strtoul. The HTTP/1.1 spec says that "any Content-Length greater than or equal to zero is a valid value." By storing this into an int, we potentially overflow it, resulting in the following bounding check failing, leading to a buffer overflow. Reported-by: Erik Cabetas <Erik@cabetas.com> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
| -rw-r--r-- | cgit.c | 2 |
1 files changed, 1 insertions, 1 deletions
| diff --git a/cgit.c b/cgit.c index 5937b9e..05e5d57 100644 --- a/cgit.c +++ b/cgit.c | |||
| @@ -651,7 +651,7 @@ static inline void open_auth_filter(const char *function) | |||
| 651 | static inline void authenticate_post(void) | 651 | static inline void authenticate_post(void) |
| 652 | { | 652 | { |
| 653 | char buffer[MAX_AUTHENTICATION_POST_BYTES]; | 653 | char buffer[MAX_AUTHENTICATION_POST_BYTES]; |
| 654 | int len; | 654 | unsigned int len; |
| 655 | 655 | ||
| 656 | open_auth_filter("authenticate-post"); | 656 | open_auth_filter("authenticate-post"); |
| 657 | len = ctx.env.content_length; | 657 | len = ctx.env.content_length; |