filter: avoid integer overflow in authenticate_post

ctx.env.content_length is an unsigned int, coming from the CONTENT_LENGTH environment variable, which is parsed by strtoul. The HTTP/1.1 spec says that "any Content-Length greater than or equal to zero is a valid value." By storing this into an int, we potentially overflow it, resulting in the following bounding check failing, leading to a buffer overflow. Reported-by: Erik Cabetas <Erik@cabetas.com> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
author: Jason A. Donenfeld <Jason@zx2c4.com> 2015-11-24 11:28:00 +0100
committer: Jason A. Donenfeld <Jason@zx2c4.com> 2015-11-24 11:31:43 +0100
commit: 4458abf64172a62b92810c2293450106e6dfc763 (patch)
tree: 92a3f3587e85c11c77d11769a45d55ddb2fd81a6
parent: ffe09621f2626c692a16b249a52112ba8070aa79 (diff)
download: cgit-4458abf64172a62b92810c2293450106e6dfc763.tar.gz
cgit-4458abf64172a62b92810c2293450106e6dfc763.tar.bz2
cgit-4458abf64172a62b92810c2293450106e6dfc763.zip
1 files changed, 1 insertions, 1 deletions
diff --git a/cgit.c b/cgit.c
index 5937b9e..05e5d57 100644
--- a/cgit.c
+++ b/cgit.c
@@ -651,7 +651,7 @@ static inline void open_auth_filter(const char *function)
 static inline void authenticate_post(void)
 {
 	char buffer[MAX_AUTHENTICATION_POST_BYTES];
-	int len;
+	unsigned int len;
 
 	open_auth_filter("authenticate-post");
 	len = ctx.env.content_length;
author	Jason A. Donenfeld <Jason@zx2c4.com>	2015-11-24 11:28:00 +0100
committer	Jason A. Donenfeld <Jason@zx2c4.com>	2015-11-24 11:31:43 +0100
commit	4458abf64172a62b92810c2293450106e6dfc763 (patch)
tree	92a3f3587e85c11c77d11769a45d55ddb2fd81a6
parent	ffe09621f2626c692a16b249a52112ba8070aa79 (diff)
download	cgit-4458abf64172a62b92810c2293450106e6dfc763.tar.gz cgit-4458abf64172a62b92810c2293450106e6dfc763.tar.bz2 cgit-4458abf64172a62b92810c2293450106e6dfc763.zip