storm/minidlna
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

upnphttp: Disallow negative HTTP chunk lengths

Browse Source 
[CVE-2020-28926]

This fixes a couple vulnerabilities that could lead to an infinite loop
or heap corruption.
This commit is contained in:
Justin Maggard 2020-09-24 08:55:36 -07:00 committed by Justin Maggard
parent 06ee114731
commit 9fba41008a
1 changed files with 4 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
upnphttp.c
View File

@ -420,14 +420,14 @@ next_header:
return; return;
line += 2; line += 2;
} }
if( h->reqflags & FLAG_CHUNKED ) if (h->reqflags & FLAG_CHUNKED)
{ {
char *endptr; char *endptr;
h->req_chunklen = -1; h->req_chunklen = -1;
if( h->req_buflen <= h->req_contentoff ) if (h->req_buflen <= h->req_contentoff)
return; return;
while( (line < (h->req_buf + h->req_buflen)) && while( (line < (h->req_buf + h->req_buflen)) &&
(h->req_chunklen = strtol(line, &endptr, 16)) && (h->req_chunklen = strtol(line, &endptr, 16) > 0) &&
(endptr != line) ) (endptr != line) )
{ {
endptr = strstr(endptr, "\r\n"); endptr = strstr(endptr, "\r\n");
@ -888,7 +888,7 @@ ProcessHttpQuery_upnphttp(struct upnphttp * h)
char *chunkstart, *chunk, *endptr, *endbuf; char *chunkstart, *chunk, *endptr, *endbuf;
chunk = endbuf = chunkstart = h->req_buf + h->req_contentoff; chunk = endbuf = chunkstart = h->req_buf + h->req_contentoff;
while( (h->req_chunklen = strtol(chunk, &endptr, 16)) && (endptr != chunk) ) while ((h->req_chunklen = strtol(chunk, &endptr, 16)) > 0 && (endptr != chunk) )
{ {
endptr = strstr(endptr, "\r\n"); endptr = strstr(endptr, "\r\n");
if (!endptr) if (!endptr)