filter: avoid integer overflow in authenticate_post - cgit - A hyperfast web frontend for git repositories written in C.

diff options

author	Jason A. Donenfeld <Jason@zx2c4.com>	2015-11-24 11:28:00 +0100
committer	Jason A. Donenfeld <Jason@zx2c4.com>	2015-11-24 11:31:43 +0100
commit	4458abf64172a62b92810c2293450106e6dfc763 (patch)
tree	92a3f3587e85c11c77d11769a45d55ddb2fd81a6 /ui-clone.c
parent	about-formatting.sh: comment text out of date (diff)
download	cgit-4458abf64172a62b92810c2293450106e6dfc763.tar.xz cgit-4458abf64172a62b92810c2293450106e6dfc763.zip

filter: avoid integer overflow in authenticate_post

ctx.env.content_length is an unsigned int, coming from the CONTENT_LENGTH environment variable, which is parsed by strtoul. The HTTP/1.1 spec says that "any Content-Length greater than or equal to zero is a valid value." By storing this into an int, we potentially overflow it, resulting in the following bounding check failing, leading to a buffer overflow. Reported-by: Erik Cabetas <Erik@cabetas.com> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

Diffstat (limited to 'ui-clone.c')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: