all repos — cgit @ 4458abf64172a62b92810c2293450106e6dfc763

a hyperfast web frontend for git written in c 

filter: avoid integer overflow in authenticate_post

ctx.env.content_length is an unsigned int, coming from the
CONTENT_LENGTH environment variable, which is parsed by strtoul. The
HTTP/1.1 spec says that "any Content-Length greater than or equal to
zero is a valid value." By storing this into an int, we potentially
overflow it, resulting in the following bounding check failing, leading
to a buffer overflow.

Reported-by: Erik Cabetas <Erik@cabetas.com>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Jason A. Donenfeld Jason@zx2c4.com
Tue, 24 Nov 2015 11:28:00 +0100
commit

4458abf64172a62b92810c2293450106e6dfc763

parent

ffe09621f2626c692a16b249a52112ba8070aa79

1 files changed, 1 insertions(+), 1 deletions(-)

jump to
M cgit.ccgit.c 
@@ -651,7 +651,7 @@ /* The filter is expected to spit out "Status: " and all headers. */
 static inline void authenticate_post(void)
 {
 	char buffer[MAX_AUTHENTICATION_POST_BYTES];
-	int len;
+	unsigned int len;
 
 	open_auth_filter("authenticate-post");
 	len = ctx.env.content_length;