fix(http1): protect against overflow in chunked decoder

The HTTP/1 chunked decoder, when decoding the size of a chunk, could overflow the size if the hex digits were too large. This fixes it by adding an overflow check in the decoder. See GHSA-5h46-h7hh-c6x9
2021-07-01 12:34:38 -07:00
parent 11cb4725ad
commit 1068b994df
2 changed files with 51 additions and 7 deletions
--- a/tests/server.rs
+++ b/tests/server.rs
@@ -431,6 +431,35 @@ fn post_with_chunked_body() {
    assert_eq!(server.body(), b"qwert");
 }

+#[test]
+fn post_with_chunked_overflow() {
+    let server = serve();
+    let mut req = connect(server.addr());
+    req.write_all(
+        b"\
+        POST / HTTP/1.1\r\n\
+        Host: example.domain\r\n\
+        Transfer-Encoding: chunked\r\n\
+        \r\n\
+        f0000000000000003\r\n\
+        abc\r\n\
+        0\r\n\
+        \r\n\
+        GET /sneaky HTTP/1.1\r\n\
+        \r\n\
+    ",
+    )
+    .unwrap();
+    req.read(&mut [0; 256]).unwrap();
+
+    let err = server.body_err().to_string();
+    assert!(
+        err.contains("overflow"),
+        "error should be overflow: {:?}",
+        err
+    );
+}
+
 #[test]
 fn post_with_incomplete_body() {
    let _ = pretty_env_logger::try_init();