http: fix response code parser to avoid integer overflow

test 1429 and 1433 were updated to work with the stricter HTTP status line parser. Closes #1714 Reported-by: Brian Carpenter
2024-12-21 15:48:49 -05:00 · 2017-07-31 17:11:18 +02:00 · 2017-07-31 17:11:18 +02:00 · 909283ae5a
commit 909283ae5a
parent 512f8c774a
3 changed files with 16 additions and 21 deletions
--- a/lib/http.c
+++ b/lib/http.c
@ -3322,19 +3322,22 @@ CURLcode Curl_http_readwrite_headers(struct Curl_easy *data,
         * says. We try to allow any number here, but we cannot make
         * guarantees on future behaviors since it isn't within the protocol.
         */
+        char separator;
        nc = sscanf(HEADER1,
-                    " HTTP/%d.%d %d",
+                    " HTTP/%1d.%1d%c%3d",
                    &httpversion_major,
                    &conn->httpversion,
+                    &separator,
                    &k->httpcode);

        if(nc == 1 && httpversion_major == 2 &&
           1 == sscanf(HEADER1, " HTTP/2 %d", &k->httpcode)) {
          conn->httpversion = 0;
-          nc = 3;
+          nc = 4;
+          separator = ' ';
        }

-        if(nc==3) {
+        if((nc==4) && (' ' == separator)) {
          conn->httpversion += 10 * httpversion_major;

          if(k->upgr101 == UPGR101_RECEIVED) {
@ -3343,7 +3346,7 @@ CURLcode Curl_http_readwrite_headers(struct Curl_easy *data,
              infof(data, "Lying server, not serving HTTP/2\n");
          }
        }
-        else {
+        else if(!nc) {
          /* this is the real world, not a Nirvana
             NCSA 1.5.x returns this crap when asked for HTTP/1.1
          */
@ -3361,6 +3364,10 @@ CURLcode Curl_http_readwrite_headers(struct Curl_easy *data,
            }
          }
        }
+        else {
+          failf(data, "Unsupported HTTP version in response\n");
+          return CURLE_UNSUPPORTED_PROTOCOL;
+        }
      }
      else if(conn->handler->protocol & CURLPROTO_RTSP) {
        nc = sscanf(HEADER1,
--- a/tests/data/test1429
+++ b/tests/data/test1429
@ -54,7 +54,7 @@ Content-Type: text/html
 Funny-head: yesyes

 -foo-
-1234
+123
 </stdout>
 <strip>
 ^User-Agent:.*
--- a/tests/data/test1433
+++ b/tests/data/test1433
@ -34,28 +34,13 @@ http
 HTTP GET with 100-digit subversion number in response
 </name>
 <command>
-http://%HOSTIP:%HTTPPORT/1433  --write-out '%{response_code}'
+http://%HOSTIP:%HTTPPORT/1433
 </command>
 </client>

 #
 # Verify data after the test has been "shot"
 <verify>
-<stdout nonewline="yes">
-HTTP/1.0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789 200 OK
-Date: Thu, 09 Nov 2010 14:49:00 GMT
-Server: test-server/fake
-Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT
-ETag: "21025-dc7-39462498"
-Accept-Ranges: bytes
-Content-Length: 6
-Connection: close
-Content-Type: text/html
-Funny-head: yesyes
-
-foo-
-200
-</stdout>
 <strip>
 ^User-Agent:.*
 </strip>
@ -65,5 +50,8 @@ Host: %HOSTIP:%HTTPPORT
 Accept: */*

 </protocol>
+<errorcode>
+1
+</errorcode>
 </verify>
 </testcase>