upnphttp: Disallow negative HTTP chunk lengths

[CVE-2020-28926]

This fixes a couple vulnerabilities that could lead to an infinite loop
or heap corruption.
This commit is contained in:
Justin Maggard 2020-09-24 08:55:36 -07:00 committed by Justin Maggard
parent 06ee114731
commit 9fba41008a

View File

@ -420,14 +420,14 @@ next_header:
return;
line += 2;
}
if( h->reqflags & FLAG_CHUNKED )
if (h->reqflags & FLAG_CHUNKED)
{
char *endptr;
h->req_chunklen = -1;
if( h->req_buflen <= h->req_contentoff )
if (h->req_buflen <= h->req_contentoff)
return;
while( (line < (h->req_buf + h->req_buflen)) &&
(h->req_chunklen = strtol(line, &endptr, 16)) &&
(h->req_chunklen = strtol(line, &endptr, 16) > 0) &&
(endptr != line) )
{
endptr = strstr(endptr, "\r\n");
@ -888,7 +888,7 @@ ProcessHttpQuery_upnphttp(struct upnphttp * h)
char *chunkstart, *chunk, *endptr, *endbuf;
chunk = endbuf = chunkstart = h->req_buf + h->req_contentoff;
while( (h->req_chunklen = strtol(chunk, &endptr, 16)) && (endptr != chunk) )
while ((h->req_chunklen = strtol(chunk, &endptr, 16)) > 0 && (endptr != chunk) )
{
endptr = strstr(endptr, "\r\n");
if (!endptr)