From 9fba41008adebc1da0f4f6c6e27ae422ace3fe4a Mon Sep 17 00:00:00 2001
From: Justin Maggard <jmaggard10@gmail.com>
Date: Thu, 24 Sep 2020 08:55:36 -0700
Subject: [PATCH] upnphttp: Disallow negative HTTP chunk lengths

[CVE-2020-28926]

This fixes a couple vulnerabilities that could lead to an infinite loop
or heap corruption.
---
 upnphttp.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/upnphttp.c b/upnphttp.c
index 1fbb242..08fdd79 100644
--- a/upnphttp.c
+++ b/upnphttp.c
@@ -420,14 +420,14 @@ next_header:
 			return;
 		line += 2;
 	}
-	if( h->reqflags & FLAG_CHUNKED )
+	if (h->reqflags & FLAG_CHUNKED)
 	{
 		char *endptr;
 		h->req_chunklen = -1;
-		if( h->req_buflen <= h->req_contentoff )
+		if (h->req_buflen <= h->req_contentoff)
 			return;
 		while( (line < (h->req_buf + h->req_buflen)) &&
-		       (h->req_chunklen = strtol(line, &endptr, 16)) &&
+		       (h->req_chunklen = strtol(line, &endptr, 16) > 0) &&
 		       (endptr != line) )
 		{
 			endptr = strstr(endptr, "\r\n");
@@ -888,7 +888,7 @@ ProcessHttpQuery_upnphttp(struct upnphttp * h)
 		char *chunkstart, *chunk, *endptr, *endbuf;
 		chunk = endbuf = chunkstart = h->req_buf + h->req_contentoff;
 
-		while( (h->req_chunklen = strtol(chunk, &endptr, 16)) && (endptr != chunk) )
+		while ((h->req_chunklen = strtol(chunk, &endptr, 16)) > 0 && (endptr != chunk) )
 		{
 			endptr = strstr(endptr, "\r\n");
 			if (!endptr)