[prev in list] [next in list] [prev in thread] [next in thread] 

List:       helix-filesystem-cvs
Subject:    [Filesystem-cvs] http httpfsys.cpp,1.109.2.5,1.109.2.6
From:       ehyche () helixcommunity ! org
Date:       2008-01-18 20:47:22
Message-ID: 200801182048.m0IKm3YU030317 () mailer ! progressive-comp ! com
[Download RAW message or body]

Update of /cvsroot/filesystem/http
In directory cvs01.internal.helixcommunity.org:/tmp/cvs-serv22350

Modified Files:
      Tag: hxclient_3_1_0_atlas
	httpfsys.cpp 
Log Message:
Description
-------------------------------------
This changes fixes a crash in the http filesystem when
a malicious chunked encoding chunk size is constructed.
This crash is detailed in bug 211207.

Files Modified
-------------------------------------
filesystem/http/httpfsys.cpp

Branches
-------------------------------------
HEAD, 150Cay, 203Cay, 204Cay, 310Atlas



Index: httpfsys.cpp
===================================================================
RCS file: /cvsroot/filesystem/http/httpfsys.cpp,v
retrieving revision 1.109.2.5
retrieving revision 1.109.2.6
diff -u -d -r1.109.2.5 -r1.109.2.6
--- httpfsys.cpp	1 Nov 2007 02:54:43 -0000	1.109.2.5
+++ httpfsys.cpp	18 Jan 2008 20:47:18 -0000	1.109.2.6
@@ -8867,7 +8867,10 @@
         if (CE_HEADER_READY == pChunkedEncoding->state)
         {
             // parse the chunk head
-            pChunkedEncoding->size = strtoul(pChunkedEncoding->buf, &errstr, 16);
+            INT32 lSize = (INT32) strtol(pChunkedEncoding->buf, &errstr, 16);
+            if (lSize >= 0)
+            {
+                pChunkedEncoding->size = (unsigned long) lSize;
             HX_ASSERT(pChunkedEncoding->size <= pChunkedEncoding->maxChunkSizeAccepted);
             if (pChunkedEncoding->size > pChunkedEncoding->maxChunkSizeAccepted)
             {
@@ -8876,7 +8879,14 @@
                 // the limit was chosen arbitrarily, we can revise it if required.
                 rc = HXR_UNEXPECTED;
                 break;
-            };
+                }
+            }
+            else
+            {
+                // Chunk size was set to < 0, which is an error.
+                rc = HXR_FAILED;
+                break;
+            }
 
             if (pChunkedEncoding->size > 0)
             {


_______________________________________________
Filesystem-cvs mailing list
Filesystem-cvs@helixcommunity.org
http://lists.helixcommunity.org/mailman/listinfo/filesystem-cvs
[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic