From bfc8fbd67f6b3dd96702b363f61cf805baf3c6cf Mon Sep 17 00:00:00 2001 From: Bartosz Spyrko-Smietanko Date: Tue, 25 Feb 2020 13:26:20 +0000 Subject: [PATCH] [UNDERTOW-1708][JBEAP-18537] Fix overflow of chunk size --- core/src/main/java/io/undertow/UndertowMessages.java | 3 +++ core/src/main/java/io/undertow/conduits/ChunkReader.java | 5 +++++ 2 files changed, 8 insertions(+) diff --git a/core/src/main/java/io/undertow/UndertowMessages.java b/core/src/main/java/io/undertow/UndertowMessages.java index fbde7d1..3aa4ad8 100644 --- a/core/src/main/java/io/undertow/UndertowMessages.java +++ b/core/src/main/java/io/undertow/UndertowMessages.java @@ -471,4 +471,7 @@ public interface UndertowMessages { @Message(id = 147, value = "No host header in a HTTP/1.1 request") IOException noHostInHttp11Request(); + + @Message(id = 195, value = "Chunk size too large") + IOException chunkSizeTooLarge(); } diff --git a/core/src/main/java/io/undertow/conduits/ChunkReader.java b/core/src/main/java/io/undertow/conduits/ChunkReader.java index 21ef002..e064f71 100644 --- a/core/src/main/java/io/undertow/conduits/ChunkReader.java +++ b/core/src/main/java/io/undertow/conduits/ChunkReader.java @@ -48,6 +48,8 @@ class ChunkReader { private static final long MASK_COUNT = longBitMask(0, 56); + private static final long LIMIT = Long.MAX_VALUE >> 4; + private long state; private final Attachable attachable; private final AttachmentKey trailerAttachmentKey; @@ -103,6 +105,9 @@ class ChunkReader { while (buf.hasRemaining()) { byte b = buf.get(); if ((b >= '0' && b <= '9') || (b >= 'a' && b <= 'f') || (b >= 'A' && b <= 'F')) { + if (chunkRemaining > LIMIT) { + throw UndertowMessages.MESSAGES.chunkSizeTooLarge(); + } chunkRemaining <<= 4; //shift it 4 bytes and then add the next value to the end chunkRemaining += Character.digit((char) b, 16); } else { -- 2.23.0