packages/undertow
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
undertow/CVE-2020-10719.patch
wk333 aa7a7da807 fix CVE-2020-10719 
(cherry picked from commit f13e276bba8a3d3c582835af1a8a8240447cc5cb)
2021-10-29 16:57:16 +08:00

49 lines
2.1 KiB
Diff
Raw Permalink Blame History

From bfc8fbd67f6b3dd96702b363f61cf805baf3c6cf Mon Sep 17 00:00:00 2001
From: Bartosz Spyrko-Smietanko <bspyrkos@redhat.com>
Date: Tue, 25 Feb 2020 13:26:20 +0000
Subject: [PATCH] [UNDERTOW-1708][JBEAP-18537] Fix overflow of chunk size
---
core/src/main/java/io/undertow/UndertowMessages.java | 3 +++
core/src/main/java/io/undertow/conduits/ChunkReader.java | 5 +++++
2 files changed, 8 insertions(+)
diff --git a/core/src/main/java/io/undertow/UndertowMessages.java b/core/src/main/java/io/undertow/UndertowMessages.java
index fbde7d1..3aa4ad8 100644
--- a/core/src/main/java/io/undertow/UndertowMessages.java
+++ b/core/src/main/java/io/undertow/UndertowMessages.java
@@ -471,4 +471,7 @@ public interface UndertowMessages {
@Message(id = 147, value = "No host header in a HTTP/1.1 request")
IOException noHostInHttp11Request();
+
+ @Message(id = 195, value = "Chunk size too large")
+ IOException chunkSizeTooLarge();
}
diff --git a/core/src/main/java/io/undertow/conduits/ChunkReader.java b/core/src/main/java/io/undertow/conduits/ChunkReader.java
index 21ef002..e064f71 100644
--- a/core/src/main/java/io/undertow/conduits/ChunkReader.java
+++ b/core/src/main/java/io/undertow/conduits/ChunkReader.java
@@ -48,6 +48,8 @@ class ChunkReader<T extends Conduit> {
private static final long MASK_COUNT = longBitMask(0, 56);
+ private static final long LIMIT = Long.MAX_VALUE >> 4;
+
private long state;
private final Attachable attachable;
private final AttachmentKey<HeaderMap> trailerAttachmentKey;
@@ -103,6 +105,9 @@ class ChunkReader<T extends Conduit> {
while (buf.hasRemaining()) {
byte b = buf.get();
if ((b >= '0' && b <= '9') || (b >= 'a' && b <= 'f') || (b >= 'A' && b <= 'F')) {
+ if (chunkRemaining > LIMIT) {
+ throw UndertowMessages.MESSAGES.chunkSizeTooLarge();
+ }
chunkRemaining <<= 4; //shift it 4 bytes and then add the next value to the end
chunkRemaining += Character.digit((char) b, 16);
} else {
--
2.23.0
Reference in New Issue View Git Blame Copy Permalink