HTTP: bail out on negative Content-Length: values

... and make the max filesize check trigger if the value is too big. Updates test 178. Reported-by: Brad Spencer Fixes #2212 Closes #2223
2018-01-09 17:24:48 +13:00 · 2018-01-09 17:24:48 +13:00 · f68e672715
parent 0616dfa1e0
commit f68e672715
2 changed files with 32 additions and 21 deletions
--- a/lib/http.c
+++ b/lib/http.c
@ -5,7 +5,7 @@
 *                            | (__| |_| |  _ <| |___
 *                             \___|\___/|_| \_\_____|
 *
- * Copyright (C) 1998 - 2017, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2018, Daniel Stenberg, <daniel@haxx.se>, et al.
 *
 * This software is licensed as described in the file COPYING, which
 * you should have received as part of this distribution. The terms
@ -3505,13 +3505,14 @@ CURLcode Curl_http_readwrite_headers(struct Curl_easy *data,
    if(!k->ignorecl && !data->set.ignorecl &&
       checkprefix("Content-Length:", k->p)) {
      curl_off_t contentlength;
-      if(!curlx_strtoofft(k->p + 15, NULL, 10, &contentlength)) {
+      CURLofft offt = curlx_strtoofft(k->p + 15, NULL, 10, &contentlength);
+
+      if(offt == CURL_OFFT_OK) {
        if(data->set.max_filesize &&
           contentlength > data->set.max_filesize) {
          failf(data, "Maximum file size exceeded");
          return CURLE_FILESIZE_EXCEEDED;
        }
-        if(contentlength >= 0) {
        k->size = contentlength;
        k->maxdownload = k->size;
        /* we set the progress download size already at this point
@ -3519,18 +3520,21 @@ CURLcode Curl_http_readwrite_headers(struct Curl_easy *data,
           info as soon as possible */
        Curl_pgrsSetDownloadSize(data, k->size);
      }
+      else if(offt == CURL_OFFT_FLOW) {
+        /* out of range */
+        if(data->set.max_filesize) {
+          failf(data, "Maximum file size exceeded");
+          return CURLE_FILESIZE_EXCEEDED;
+        }
+        streamclose(conn, "overflow content-length");
+        infof(data, "Overflow Content-Length: value!\n");
+      }
      else {
-          /* Negative Content-Length is really odd, and we know it
-             happens for example when older Apache servers send large
-             files */
-          streamclose(conn, "negative content-length");
-          infof(data, "Negative content-length: %" CURL_FORMAT_CURL_OFF_T
-                ", closing after transfer\n", contentlength);
+        /* negative or just rubbish - bad HTTP */
+        failf(data, "Invalid Content-Length: value");
+        return CURLE_WEIRD_SERVER_REPLY;
      }
    }
-      else
-        infof(data, "Illegal Content-Length: header\n");
-    }
    /* check for Content-Type: header lines to get the MIME-type */
    else if(checkprefix("Content-Type:", k->p)) {
      char *contenttype = Curl_copy_header_value(k->p);
--- a/tests/data/test178
+++ b/tests/data/test178
@ -18,6 +18,10 @@ Funny-head: yesyes

 moooooooooooo
 </data>
+<datacheck>
+HTTP/1.1 200 OK swsclose
+Date: Thu, 09 Nov 2010 14:49:00 GMT
+</datacheck>
 </reply>

 #
@ -27,7 +31,7 @@ moooooooooooo
 http
 </server>
 <name>
-simple HTTP GET with negative Content-Length
+HTTP response with negative Content-Length
 </name>
 <command>
 http://%HOSTIP:%HTTPPORT/178
@ -46,5 +50,8 @@ Host: %HOSTIP:%HTTPPORT
 Accept: */*

 </protocol>
+<errorcode>
+8
+</errorcode>
 </verify>
 </testcase>