Merge pull request #2580 from cesanta/2552

Fix #2552 - reject requests with invalid/absent chunk length
2025-01-14 01:38:01 +08:00 · 2024-01-22 09:20:56 -03:00 · 2024-01-22 09:20:56 -03:00 · 00ea3830a7
commit 00ea3830a7
parent 3880300cd9 6b0e4a425d
3 changed files with 21 additions and 3 deletions
--- a/mongoose.c
+++ b/mongoose.c
@ -3159,6 +3159,7 @@ static int skip_chunk(const char *buf, int len, int *pl, int *dl) {
  int i = 0, n = 0;
  if (len < 3) return 0;
  while (i < len && is_hex_digit(buf[i])) i++;
+  if (i == 0) return -1;                     // Error, no length specified
  if (i > (int) sizeof(int) * 2) return -1;  // Chunk length is too big
  if (len < i + 1 || buf[i] != '\r' || buf[i + 1] != '\n') return -1;  // Error
  n = (int) mg_unhexn(buf, (size_t) i);  // Decode chunk length
--- a/src/http.c
+++ b/src/http.c
@ -1,7 +1,7 @@
-#include "http.h"
 #include "arch.h"
 #include "base64.h"
 #include "fmt.h"
+#include "http.h"
 #include "json.h"
 #include "log.h"
 #include "net.h"
@ -962,6 +962,7 @@ static int skip_chunk(const char *buf, int len, int *pl, int *dl) {
  int i = 0, n = 0;
  if (len < 3) return 0;
  while (i < len && is_hex_digit(buf[i])) i++;
+  if (i == 0) return -1;                     // Error, no length specified
  if (i > (int) sizeof(int) * 2) return -1;  // Chunk length is too big
  if (len < i + 1 || buf[i] != '\r' || buf[i + 1] != '\n') return -1;  // Error
  n = (int) mg_unhexn(buf, (size_t) i);  // Decode chunk length
--- a/test/unit_test.c
+++ b/test/unit_test.c
@ -1161,6 +1161,22 @@ static void test_http_server(void) {
  }
 #endif

+  // #2552, reject chunks with no length
+  ASSERT(fetch(&mgr, buf, url,
+               "POST / HTTP/1.1\r\n"
+               "Transfer-Encoding: chunked\r\n\r\n"
+               "1\r\n"
+               "Z\r\n"
+               "?\r\n"
+               "\r\n") == 0);
+  ASSERT(fetch(&mgr, buf, url,
+               "POST / HTTP/1.1\r\n"
+               "Transfer-Encoding: chunked\r\n\r\n"
+               "1\r\n"
+               "Z\r\n"
+               "\r\n"
+               "\r\n") == 0);
+
  mg_mgr_free(&mgr);
  ASSERT(mgr.conns == NULL);
 }
@ -1605,11 +1621,11 @@ static void test_http_parse(void) {
    ASSERT(mg_http_parse(s, strlen(s), &hm) == (int) strlen(s));
    s = "a\nb:b\nc:c\n\n";
    ASSERT(mg_http_parse(s, strlen(s), &hm) < 0);
-    s = "a b\nc: \xc0\n\n"; // Invalid UTF in the header value: accept
+    s = "a b\nc: \xc0\n\n";  // Invalid UTF in the header value: accept
    ASSERT(mg_http_parse(s, strlen(s), &hm) == (int) strlen(s));
    ASSERT((v = mg_http_get_header(&hm, "c")) != NULL);
    ASSERT(mg_vcmp(v, "\xc0") == 0);
-    s = "a b\n\xc0: 2\n\n"; // Invalid UTF in the header name: do NOT accept
+    s = "a b\n\xc0: 2\n\n";  // Invalid UTF in the header name: do NOT accept
    ASSERT(mg_http_parse(s, strlen(s), &hm) == -1);
  }
 }