bendns' repos / cgit
the repository which powers this website
filter: avoid integer overflow in authenticate_post
ctx.env.content_length is an unsigned int, coming from the CONTENT_LENGTH environment variable, which is parsed by strtoul. The HTTP/1.1 spec says that "any Content-Length greater than or equal to zero is a valid value." By storing this into an int, we potentially overflow it, resulting in the following bounding check failing, leading to a buffer overflow. Reported-by: Erik Cabetas <[email protected]> Signed-off-by: Jason A. Donenfeld <[email protected]>
Browse Source
Jason A. Donenfeld 2015-11-24
parent ffe0962 · commit 4458abf
Diffstat
-rw-r--r--cgit.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/cgit.c b/cgit.c
index 5937b9e5..05e5d573 100644
--- a/cgit.c
+++ b/cgit.c
@@ -651,7 +651,7 @@ static inline void open_auth_filter(const char *function)
static inline void authenticate_post(void)
{
char buffer[MAX_AUTHENTICATION_POST_BYTES];
- int len;
+ unsigned int len;
open_auth_filter("authenticate-post");
len = ctx.env.content_length;