upnphttp: Disallow negative HTTP chunk lengths
[CVE-2020-28926] This fixes a couple vulnerabilities that could lead to an infinite loop or heap corruption.
This commit is contained in:
parent
06ee114731
commit
9fba41008a
@ -420,14 +420,14 @@ next_header:
|
||||
return;
|
||||
line += 2;
|
||||
}
|
||||
if( h->reqflags & FLAG_CHUNKED )
|
||||
if (h->reqflags & FLAG_CHUNKED)
|
||||
{
|
||||
char *endptr;
|
||||
h->req_chunklen = -1;
|
||||
if( h->req_buflen <= h->req_contentoff )
|
||||
if (h->req_buflen <= h->req_contentoff)
|
||||
return;
|
||||
while( (line < (h->req_buf + h->req_buflen)) &&
|
||||
(h->req_chunklen = strtol(line, &endptr, 16)) &&
|
||||
(h->req_chunklen = strtol(line, &endptr, 16) > 0) &&
|
||||
(endptr != line) )
|
||||
{
|
||||
endptr = strstr(endptr, "\r\n");
|
||||
@ -888,7 +888,7 @@ ProcessHttpQuery_upnphttp(struct upnphttp * h)
|
||||
char *chunkstart, *chunk, *endptr, *endbuf;
|
||||
chunk = endbuf = chunkstart = h->req_buf + h->req_contentoff;
|
||||
|
||||
while( (h->req_chunklen = strtol(chunk, &endptr, 16)) && (endptr != chunk) )
|
||||
while ((h->req_chunklen = strtol(chunk, &endptr, 16)) > 0 && (endptr != chunk) )
|
||||
{
|
||||
endptr = strstr(endptr, "\r\n");
|
||||
if (!endptr)
|
||||
|
Loading…
x
Reference in New Issue
Block a user