Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-09 18:18:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

HTTP: Make Content-Range parsing more robust

Browse source 
This was exposed by OSS-Fuzz after the HTTP/0.9 changes in zeek/zeek#2851:
We do not check the result of parsing the from and last bytes of a
Content-Range header and would reference uninitialized values on the stack
if these were not valid.

This doesn't seem as bad as it sounds outside of yielding non-sensible values:
If the result was negative, we weird/bailed. If the result was positive, we
already had to treat it with suspicion anyway and the SetPlainDelivery()
logic accounts for that.
This commit is contained in:
Arne Welzel 2023-03-13 10:19:26 +01:00
parent b14cc413d8
commit b21e6f72da
5 changed files with 33 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

10
src/analyzer/protocol/http/HTTP.cc
View file

@ -425,8 +425,14 @@ void HTTP_Entity::SubmitHeader(analyzer::mime::MIME_Header* h)
first_byte_pos.c_str(), last_byte_pos.c_str(), instance_length_str.c_str());
int64_t f, l;
util::atoi_n(first_byte_pos.size(), first_byte_pos.c_str(), nullptr, 10, f);
util::atoi_n(last_byte_pos.size(), last_byte_pos.c_str(), nullptr, 10, l);
int fr = util::atoi_n(first_byte_pos.size(), first_byte_pos.c_str(), nullptr, 10, f);
int lr = util::atoi_n(last_byte_pos.size(), last_byte_pos.c_str(), nullptr, 10, l);
if ( fr != 1 || lr != 1 )
{
http_message->Weird("HTTP_content_range_cannot_parse");
return;
}
int64_t len = l - f + 1;
if ( DEBUG_http )