From: Jason A. Donenfeld <Jason@zx2c4.com>
Date: Tue, 24 Nov 2015 10:28:00 +0000 (+0100)
Subject: filter: avoid integer overflow in authenticate_post
X-Git-Url: https://gitweb.ps.run/ps-cgit/commitdiff_plain/4458abf64172a62b92810c2293450106e6dfc763?ds=inline;hp=4458abf64172a62b92810c2293450106e6dfc763

filter: avoid integer overflow in authenticate_post

ctx.env.content_length is an unsigned int, coming from the
CONTENT_LENGTH environment variable, which is parsed by strtoul. The
HTTP/1.1 spec says that "any Content-Length greater than or equal to
zero is a valid value." By storing this into an int, we potentially
overflow it, resulting in the following bounding check failing, leading
to a buffer overflow.

Reported-by: Erik Cabetas <Erik@cabetas.com>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
---