Commit 909283ae authored by Daniel Stenberg's avatar Daniel Stenberg
Browse files

http: fix response code parser to avoid integer overflow 

test 1429 and 1433 were updated to work with the stricter HTTP status line
parser.

Closes #1714
Reported-by: Brian Carpenter
parent 512f8c77

lib/http.c

+11 −4
Original line number Diff line number Diff line
@@ -3322,19 +3322,22 @@ CURLcode Curl_http_readwrite_headers(struct Curl_easy *data, 
         * says. We try to allow any number here, but we cannot make

         * guarantees on future behaviors since it isn't within the protocol.

         */

        char separator;

        nc = sscanf(HEADER1,

                    " HTTP/%d.%d %d",

                    " HTTP/%1d.%1d%c%3d",

                    &httpversion_major,

                    &conn->httpversion,

                    &separator,

                    &k->httpcode);



        if(nc == 1 && httpversion_major == 2 &&

           1 == sscanf(HEADER1, " HTTP/2 %d", &k->httpcode)) {

          conn->httpversion = 0;

          nc = 3;

          nc = 4;

          separator = ' ';

        }



        if(nc==3) {

        if((nc==4) && (' ' == separator)) {

          conn->httpversion += 10 * httpversion_major;



          if(k->upgr101 == UPGR101_RECEIVED) {
@@ -3343,7 +3346,7 @@ CURLcode Curl_http_readwrite_headers(struct Curl_easy *data, 
              infof(data, "Lying server, not serving HTTP/2\n");

          }

        }

        else {

        else if(!nc) {

          /* this is the real world, not a Nirvana

             NCSA 1.5.x returns this crap when asked for HTTP/1.1

          */
@@ -3361,6 +3364,10 @@ CURLcode Curl_http_readwrite_headers(struct Curl_easy *data, 
            }

          }

        }

        else {

          failf(data, "Unsupported HTTP version in response\n");

          return CURLE_UNSUPPORTED_PROTOCOL;

        }

      }

      else if(conn->handler->protocol & CURLPROTO_RTSP) {

        nc = sscanf(HEADER1,

tests/data/test1429

+1 −1
Original line number Diff line number Diff line
@@ -54,7 +54,7 @@ Content-Type: text/html 
Funny-head: yesyes



-foo-

1234

123

</stdout>

<strip>

^User-Agent:.*

tests/data/test1433

+4 −16
Original line number Diff line number Diff line
@@ -34,28 +34,13 @@ http 
HTTP GET with 100-digit subversion number in response

 </name>

 <command>

http://%HOSTIP:%HTTPPORT/1433  --write-out '%{response_code}'

http://%HOSTIP:%HTTPPORT/1433

</command>

</client>



#

# Verify data after the test has been "shot"

<verify>

<stdout nonewline="yes">

HTTP/1.0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789 200 OK

Date: Thu, 09 Nov 2010 14:49:00 GMT

Server: test-server/fake

Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT

ETag: "21025-dc7-39462498"

Accept-Ranges: bytes

Content-Length: 6

Connection: close

Content-Type: text/html

Funny-head: yesyes



-foo-

200

</stdout>

<strip>

^User-Agent:.*

</strip>
@@ -65,5 +50,8 @@ Host: %HOSTIP:%HTTPPORT 
Accept: */*



</protocol>

<errorcode>

1

</errorcode>

</verify>

</testcase>