From 1f509f31b6f8420a3661c3f990424ab7b9164931 Mon Sep 17 00:00:00 2001 From: Patrick Griffis Date: Tue, 11 Feb 2025 14:36:26 -0600 Subject: [PATCH 1/2] headers: Handle parsing edge case This version number is specifically crafted to pass sanity checks allowing it to go one byte out of bounds. --- libsoup/soup-headers.c | 2 +- tests/header-parsing-test.c | 12 ++++++++++++ 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/libsoup/soup-headers.c b/libsoup/soup-headers.c index 85385cea..9d6d00a3 100644 --- a/libsoup/soup-headers.c +++ b/libsoup/soup-headers.c @@ -225,7 +225,7 @@ soup_headers_parse_request (const char *str, !g_ascii_isdigit (version[5])) return SOUP_STATUS_BAD_REQUEST; major_version = strtoul (version + 5, &p, 10); - if (*p != '.' || !g_ascii_isdigit (p[1])) + if (p + 1 >= str + len || *p != '.' || !g_ascii_isdigit (p[1])) return SOUP_STATUS_BAD_REQUEST; minor_version = strtoul (p + 1, &p, 10); version_end = p; -- GitLab From af5b9a4a3945c52b940d5ac181ef51bb12011f1f Mon Sep 17 00:00:00 2001 From: Patrick Griffis Date: Wed, 12 Feb 2025 11:30:02 -0600 Subject: [PATCH 2/2] headers: Handle parsing only newlines Closes #404 Closes #407 --- libsoup/soup-headers.c | 4 ++-- tests/header-parsing-test.c | 13 ++++++++++++- 2 files changed, 14 insertions(+), 3 deletions(-) diff --git a/libsoup/soup-headers.c b/libsoup/soup-headers.c index 9d6d00a3..52ef2ece 100644 --- a/libsoup/soup-headers.c +++ b/libsoup/soup-headers.c @@ -186,7 +186,7 @@ soup_headers_parse_request (const char *str, /* RFC 2616 4.1 "servers SHOULD ignore any empty line(s) * received where a Request-Line is expected." */ - while ((*str == '\r' || *str == '\n') && len > 0) { + while (len > 0 && (*str == '\r' || *str == '\n')) { str++; len--; } @@ -371,7 +371,7 @@ soup_headers_parse_response (const char *str, * after a response, which we then see prepended to the next * response on that connection. */ - while ((*str == '\r' || *str == '\n') && len > 0) { + while (len > 0 && (*str == '\r' || *str == '\n')) { str++; len--; } -- GitLab