Author: Jason A. Donenfeld <Jason@zx2c4.com>
filter: avoid integer overflow in authenticate_post ctx.env.content_length is an unsigned int, coming from the CONTENT_LENGTH environment variable, which is parsed by strtoul. The HTTP/1.1 spec says that "any Content-Length greater than or equal to zero is a valid value." By storing this into an int, we potentially overflow it, resulting in the following bounding check failing, leading to a buffer overflow. Reported-by: Erik Cabetas <Erik@cabetas.com> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
cgit.c | 2 +-
diff --git a/cgit.c b/cgit.c index 5937b9e503d8f8642692196385ae705fa59b371c..05e5d5737d71cc302868ffd4f6388e8d1f947e9d 100644 --- a/cgit.c +++ b/cgit.c @@ -651,7 +651,7 @@ /* The filter is expected to spit out "Status: " and all headers. */ static inline void authenticate_post(void) { char buffer[MAX_AUTHENTICATION_POST_BYTES]; - int len; + unsigned int len; open_auth_filter("authenticate-post"); len = ctx.env.content_length;