summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDaniel Stenberg <daniel@haxx.se>2017-07-31 17:11:18 +0200
committerDaniel Stenberg <daniel@haxx.se>2017-07-31 17:11:18 +0200
commitea9ca258fc8f5afe9cb20c82c35f6322a7387924 (patch)
tree4870905c1772daf6d56d2e645ede547c7fbfcacb
parent512f8c774a8ae541d2e4fbccdd94e4bb0d39e90c (diff)
downloadcurl-bagder/http-response-code.tar.gz
http: fix response code parser to avoid integer overflowbagder/http-response-code
test 1429 and1433 were updated to work with the stricter HTTP status line parser. Reported-by: Brian Carpenter
-rw-r--r--lib/http.c15
-rw-r--r--tests/data/test14292
-rw-r--r--tests/data/test143320
3 files changed, 16 insertions, 21 deletions
diff --git a/lib/http.c b/lib/http.c
index 319a8192c..d66b8482f 100644
--- a/lib/http.c
+++ b/lib/http.c
@@ -3322,19 +3322,22 @@ CURLcode Curl_http_readwrite_headers(struct Curl_easy *data,
* says. We try to allow any number here, but we cannot make
* guarantees on future behaviors since it isn't within the protocol.
*/
+ char separator;
nc = sscanf(HEADER1,
- " HTTP/%d.%d %d",
+ " HTTP/%1d.%1d%c%3d",
&httpversion_major,
&conn->httpversion,
+ &separator,
&k->httpcode);
if(nc == 1 && httpversion_major == 2 &&
1 == sscanf(HEADER1, " HTTP/2 %d", &k->httpcode)) {
conn->httpversion = 0;
- nc = 3;
+ nc = 4;
+ separator = ' ';
}
- if(nc==3) {
+ if((nc==4) && (' ' == separator)) {
conn->httpversion += 10 * httpversion_major;
if(k->upgr101 == UPGR101_RECEIVED) {
@@ -3343,7 +3346,7 @@ CURLcode Curl_http_readwrite_headers(struct Curl_easy *data,
infof(data, "Lying server, not serving HTTP/2\n");
}
}
- else {
+ else if(!nc) {
/* this is the real world, not a Nirvana
NCSA 1.5.x returns this crap when asked for HTTP/1.1
*/
@@ -3361,6 +3364,10 @@ CURLcode Curl_http_readwrite_headers(struct Curl_easy *data,
}
}
}
+ else {
+ failf(data, "Unsupported HTTP version in response\n");
+ return CURLE_UNSUPPORTED_PROTOCOL;
+ }
}
else if(conn->handler->protocol & CURLPROTO_RTSP) {
nc = sscanf(HEADER1,
diff --git a/tests/data/test1429 b/tests/data/test1429
index ddf52ec42..114dc0dba 100644
--- a/tests/data/test1429
+++ b/tests/data/test1429
@@ -54,7 +54,7 @@ Content-Type: text/html
Funny-head: yesyes
-foo-
-1234
+123
</stdout>
<strip>
^User-Agent:.*
diff --git a/tests/data/test1433 b/tests/data/test1433
index 8634db2c4..a159daff3 100644
--- a/tests/data/test1433
+++ b/tests/data/test1433
@@ -34,28 +34,13 @@ http
HTTP GET with 100-digit subversion number in response
</name>
<command>
-http://%HOSTIP:%HTTPPORT/1433 --write-out '%{response_code}'
+http://%HOSTIP:%HTTPPORT/1433
</command>
</client>
#
# Verify data after the test has been "shot"
<verify>
-<stdout nonewline="yes">
-HTTP/1.0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789 200 OK
-Date: Thu, 09 Nov 2010 14:49:00 GMT
-Server: test-server/fake
-Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT
-ETag: "21025-dc7-39462498"
-Accept-Ranges: bytes
-Content-Length: 6
-Connection: close
-Content-Type: text/html
-Funny-head: yesyes
-
--foo-
-200
-</stdout>
<strip>
^User-Agent:.*
</strip>
@@ -65,5 +50,8 @@ Host: %HOSTIP:%HTTPPORT
Accept: */*
</protocol>
+<errorcode>
+1
+</errorcode>
</verify>
</testcase>