From 89ef3d95e781148a0951956029c92a211477f7f9 Mon Sep 17 00:00:00 2001
From: Katie Hockman <katie@golang.org>
Date: Fri, 23 Apr 2021 12:56:01 -0400
Subject: [PATCH] http/httpguts: remove recursion in HeaderValuesContainsToken

Previously, httpguts.HeaderValuesContainsToken called a
function which could recurse to the point of a stack
overflow when given a very large header (~10MB).

Credit to Guido Vranken who reported the crash as
part of the Ethereum 2.0 bounty program.

Fixes CVE-2021-31525

Fixes golang/go#45710

Change-Id: I2c54ce3b2acf1c5efdea66db0595b93a3f5ae5f3
Reviewed-on: https://go-review.googlesource.com/c/net/+/313069
Trust: Katie Hockman <katie@golang.org>
Run-TryBot: Katie Hockman <katie@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
Reviewed-by: Roland Shoemaker <roland@golang.org>
---
 http/httpguts/httplex.go | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/http/httpguts/httplex.go b/http/httpguts/httplex.go
index e7de24ee6..c79aa73f2 100644
--- a/http/httpguts/httplex.go
+++ b/http/httpguts/httplex.go
@@ -137,11 +137,13 @@ func trimOWS(x string) string {
 // contains token amongst its comma-separated tokens, ASCII
 // case-insensitively.
 func headerValueContainsToken(v string, token string) bool {
-	v = trimOWS(v)
-	if comma := strings.IndexByte(v, ','); comma != -1 {
-		return tokenEqual(trimOWS(v[:comma]), token) || headerValueContainsToken(v[comma+1:], token)
+	for comma := strings.IndexByte(v, ','); comma != -1; comma = strings.IndexByte(v, ',') {
+		if tokenEqual(trimOWS(v[:comma]), token) {
+			return true
+		}
+		v = v[comma+1:]
 	}
-	return tokenEqual(v, token)
+	return tokenEqual(trimOWS(v), token)
 }
 
 // lowerASCII returns the ASCII lowercase version of b.