File: filter-avoid-integer-overflow-in-authenticate_post.patch

package info (click to toggle)
cgit 0.10.2.git2.0.1-3%2Bdeb8u1
  • links: PTS
  • area: main
  • in suites: jessie
  • size: 26,640 kB
  • ctags: 19,675
  • sloc: ansic: 159,238; sh: 129,259; perl: 29,890; tcl: 21,214; python: 5,362; makefile: 3,295; lisp: 1,786; php: 120; asm: 98; csh: 45
file content (34 lines) | stat: -rw-r--r-- 1,121 bytes parent folder | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
From 4458abf64172a62b92810c2293450106e6dfc763 Mon Sep 17 00:00:00 2001
From: "Jason A. Donenfeld" <Jason@zx2c4.com>
Date: Tue, 24 Nov 2015 11:28:00 +0100
Subject: [PATCH] filter: avoid integer overflow in authenticate_post

ctx.env.content_length is an unsigned int, coming from the
CONTENT_LENGTH environment variable, which is parsed by strtoul. The
HTTP/1.1 spec says that "any Content-Length greater than or equal to
zero is a valid value." By storing this into an int, we potentially
overflow it, resulting in the following bounding check failing, leading
to a buffer overflow.

Reported-by: Erik Cabetas <Erik@cabetas.com>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
---
 cgit.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cgit.c b/cgit.c
index 5937b9e..05e5d57 100644
--- a/cgit.c
+++ b/cgit.c
@@ -651,7 +651,7 @@ static inline void open_auth_filter(const char *function)
 static inline void authenticate_post(void)
 {
 	char buffer[MAX_AUTHENTICATION_POST_BYTES];
-	int len;
+	unsigned int len;
 
 	open_auth_filter("authenticate-post");
 	len = ctx.env.content_length;
-- 
2.7.0