Added check for negative value for HTTP Content-Length header

cesanta · May 16, 2023 · 4663090 · 4663090
1 parent 9088b00
commit 4663090
Show file tree

Hide file tree

Showing 3 changed files with 10 additions and 2 deletions.
diff --git a/mongoose.c b/mongoose.c
@@ -1463,7 +1463,9 @@ int mg_http_parse(const char *s, size_t len, struct mg_http_message *hm) {
   mg_http_parse_headers(s, end, hm->headers,
                         sizeof(hm->headers) / sizeof(hm->headers[0]));
   if ((cl = mg_http_get_header(hm, "Content-Length")) != NULL) {
-    hm->body.len = (size_t) mg_to64(*cl);
+    int64_t content_len = mg_to64(*cl);
+    if(content_len < 0) return -1;
+    hm->body.len = (size_t) content_len;
     hm->message.len = (size_t) req_len + hm->body.len;
   }
 

diff --git a/src/http.c b/src/http.c
@@ -231,7 +231,9 @@ int mg_http_parse(const char *s, size_t len, struct mg_http_message *hm) {
   mg_http_parse_headers(s, end, hm->headers,
                         sizeof(hm->headers) / sizeof(hm->headers[0]));
   if ((cl = mg_http_get_header(hm, "Content-Length")) != NULL) {
-    hm->body.len = (size_t) mg_to64(*cl);
+    int64_t content_len = mg_to64(*cl);
+    if(content_len < 0) return -1;
+    hm->body.len = (size_t) content_len;
     hm->message.len = (size_t) req_len + hm->body.len;
   }
 

diff --git a/test/unit_test.c b/test/unit_test.c
@@ -790,6 +790,10 @@ static void test_http_server(void) {
   ASSERT(fetch(&mgr, buf, url, "GET /..ddot HTTP/1.0\n\n") == 301);
   ASSERT(fetch(&mgr, buf, url, "GET /..ddot/ HTTP/1.0\n\n") == 200);
   ASSERT(cmpbody(buf, "hi\n") == 0);
+  ASSERT(fetch(&mgr, buf, url, "GET /a.txt HTTP/1.0\n"
+        "Content-Length: -123\n\n") == 0);
+  ASSERT(fetch(&mgr, buf, url, "POST /a.txt HTTP/1.0\n"
+               "Content-Length: -123\n\n") == 0);
 
   {
     extern char *mg_http_etag(char *, size_t, size_t, time_t);