From a252d4eebcb641e1e44a0d23844407fa3280cc45 Mon Sep 17 00:00:00 2001 From: Alexis Campailla Date: Mon, 27 Jan 2014 07:24:01 -0800 Subject: [PATCH] fix content-length and chunk-size overflow test The overflow check didn't work for all possible inputs. --- http_parser.c | 8 ++++---- test.c | 4 ++-- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/http_parser.c b/http_parser.c index b9dabb8..a131a38 100644 --- a/http_parser.c +++ b/http_parser.c @@ -1509,8 +1509,8 @@ size_t http_parser_execute (http_parser *parser, t *= 10; t += ch - '0'; - /* Overflow? */ - if (t < parser->content_length || t == ULLONG_MAX) { + /* Overflow? Test against a conservative limit for simplicity. */ + if ((ULLONG_MAX - 10) / 10 < parser->content_length) { SET_ERRNO(HPE_INVALID_CONTENT_LENGTH); goto error; } @@ -1782,8 +1782,8 @@ size_t http_parser_execute (http_parser *parser, t *= 16; t += unhex_val; - /* Overflow? */ - if (t < parser->content_length || t == ULLONG_MAX) { + /* Overflow? Test against a conservative limit for simplicity. */ + if ((ULLONG_MAX - 16) / 16 < parser->content_length) { SET_ERRNO(HPE_INVALID_CONTENT_LENGTH); goto error; } diff --git a/test.c b/test.c index 6a05b0d..9aaa5ad 100644 --- a/test.c +++ b/test.c @@ -2938,7 +2938,7 @@ test_header_content_length_overflow_error (void) "HTTP/1.1 200 OK\r\n" \ "Content-Length: " #size "\r\n" \ "\r\n" - const char a[] = X(18446744073709551614); /* 2^64-2 */ + const char a[] = X(1844674407370955160); /* 2^64 / 10 - 1 */ const char b[] = X(18446744073709551615); /* 2^64-1 */ const char c[] = X(18446744073709551616); /* 2^64 */ #undef X @@ -2956,7 +2956,7 @@ test_chunk_content_length_overflow_error (void) "\r\n" \ #size "\r\n" \ "..." - const char a[] = X(FFFFFFFFFFFFFFFE); /* 2^64-2 */ + const char a[] = X(FFFFFFFFFFFFFFE); /* 2^64 / 16 - 1 */ const char b[] = X(FFFFFFFFFFFFFFFF); /* 2^64-1 */ const char c[] = X(10000000000000000); /* 2^64 */ #undef X