1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49
|
From 89ef3d95e781148a0951956029c92a211477f7f9 Mon Sep 17 00:00:00 2001
From: Katie Hockman <katie@golang.org>
Date: Fri, 23 Apr 2021 12:56:01 -0400
Subject: [PATCH] http/httpguts: remove recursion in HeaderValuesContainsToken
Previously, httpguts.HeaderValuesContainsToken called a
function which could recurse to the point of a stack
overflow when given a very large header (~10MB).
Credit to Guido Vranken who reported the crash as
part of the Ethereum 2.0 bounty program.
Fixes CVE-2021-31525
Fixes golang/go#45710
Change-Id: I2c54ce3b2acf1c5efdea66db0595b93a3f5ae5f3
Reviewed-on: https://go-review.googlesource.com/c/net/+/313069
Trust: Katie Hockman <katie@golang.org>
Run-TryBot: Katie Hockman <katie@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
Reviewed-by: Roland Shoemaker <roland@golang.org>
---
http/httpguts/httplex.go | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/http/httpguts/httplex.go b/http/httpguts/httplex.go
index e7de24ee6..c79aa73f2 100644
--- a/http/httpguts/httplex.go
+++ b/http/httpguts/httplex.go
@@ -137,11 +137,13 @@ func trimOWS(x string) string {
// contains token amongst its comma-separated tokens, ASCII
// case-insensitively.
func headerValueContainsToken(v string, token string) bool {
- v = trimOWS(v)
- if comma := strings.IndexByte(v, ','); comma != -1 {
- return tokenEqual(trimOWS(v[:comma]), token) || headerValueContainsToken(v[comma+1:], token)
+ for comma := strings.IndexByte(v, ','); comma != -1; comma = strings.IndexByte(v, ',') {
+ if tokenEqual(trimOWS(v[:comma]), token) {
+ return true
+ }
+ v = v[comma+1:]
}
- return tokenEqual(v, token)
+ return tokenEqual(trimOWS(v), token)
}
// lowerASCII returns the ASCII lowercase version of b.
|