diff options
author | Daniel Stenberg <daniel@haxx.se> | 2017-07-31 17:11:18 +0200 |
---|---|---|
committer | Daniel Stenberg <daniel@haxx.se> | 2017-07-31 17:11:18 +0200 |
commit | ea9ca258fc8f5afe9cb20c82c35f6322a7387924 (patch) | |
tree | 4870905c1772daf6d56d2e645ede547c7fbfcacb | |
parent | 512f8c774a8ae541d2e4fbccdd94e4bb0d39e90c (diff) | |
download | curl-bagder/http-response-code.tar.gz |
http: fix response code parser to avoid integer overflowbagder/http-response-code
test 1429 and1433 were updated to work with the stricter HTTP status
line parser.
Reported-by: Brian Carpenter
-rw-r--r-- | lib/http.c | 15 | ||||
-rw-r--r-- | tests/data/test1429 | 2 | ||||
-rw-r--r-- | tests/data/test1433 | 20 |
3 files changed, 16 insertions, 21 deletions
diff --git a/lib/http.c b/lib/http.c index 319a8192c..d66b8482f 100644 --- a/lib/http.c +++ b/lib/http.c @@ -3322,19 +3322,22 @@ CURLcode Curl_http_readwrite_headers(struct Curl_easy *data, * says. We try to allow any number here, but we cannot make * guarantees on future behaviors since it isn't within the protocol. */ + char separator; nc = sscanf(HEADER1, - " HTTP/%d.%d %d", + " HTTP/%1d.%1d%c%3d", &httpversion_major, &conn->httpversion, + &separator, &k->httpcode); if(nc == 1 && httpversion_major == 2 && 1 == sscanf(HEADER1, " HTTP/2 %d", &k->httpcode)) { conn->httpversion = 0; - nc = 3; + nc = 4; + separator = ' '; } - if(nc==3) { + if((nc==4) && (' ' == separator)) { conn->httpversion += 10 * httpversion_major; if(k->upgr101 == UPGR101_RECEIVED) { @@ -3343,7 +3346,7 @@ CURLcode Curl_http_readwrite_headers(struct Curl_easy *data, infof(data, "Lying server, not serving HTTP/2\n"); } } - else { + else if(!nc) { /* this is the real world, not a Nirvana NCSA 1.5.x returns this crap when asked for HTTP/1.1 */ @@ -3361,6 +3364,10 @@ CURLcode Curl_http_readwrite_headers(struct Curl_easy *data, } } } + else { + failf(data, "Unsupported HTTP version in response\n"); + return CURLE_UNSUPPORTED_PROTOCOL; + } } else if(conn->handler->protocol & CURLPROTO_RTSP) { nc = sscanf(HEADER1, diff --git a/tests/data/test1429 b/tests/data/test1429 index ddf52ec42..114dc0dba 100644 --- a/tests/data/test1429 +++ b/tests/data/test1429 @@ -54,7 +54,7 @@ Content-Type: text/html Funny-head: yesyes -foo- -1234 +123 </stdout> <strip> ^User-Agent:.* diff --git a/tests/data/test1433 b/tests/data/test1433 index 8634db2c4..a159daff3 100644 --- a/tests/data/test1433 +++ b/tests/data/test1433 @@ -34,28 +34,13 @@ http HTTP GET with 100-digit subversion number in response </name> <command> -http://%HOSTIP:%HTTPPORT/1433 --write-out '%{response_code}' +http://%HOSTIP:%HTTPPORT/1433 </command> </client> # # Verify data after the test has been "shot" <verify> -<stdout nonewline="yes"> -HTTP/1.0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789 200 OK -Date: Thu, 09 Nov 2010 14:49:00 GMT -Server: test-server/fake -Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT -ETag: "21025-dc7-39462498" -Accept-Ranges: bytes -Content-Length: 6 -Connection: close -Content-Type: text/html -Funny-head: yesyes - --foo- -200 -</stdout> <strip> ^User-Agent:.* </strip> @@ -65,5 +50,8 @@ Host: %HOSTIP:%HTTPPORT Accept: */*
</protocol> +<errorcode> +1 +</errorcode> </verify> </testcase> |