Protect from DoS with negative Content-Length

4c5fee96 · Sergey Lyubka · 82bcf523 · 4c5fee96 · 4c5fee96
Commit 4c5fee96 authored May 19, 2012 by Sergey Lyubka
Hide whitespace changes
Inline Side-by-side

Showing with 4 additions and 1 deletion

mongoose.c mongoose.c +2 -1

test.pl test/test.pl +2 -0

No files found.
--- a/mongoose.c
+++ b/mongoose.c
@@ -3858,7 +3858,8 @@ static void discard_current_request_from_buffer(struct mg_connection *conn) {
  buffered_len = conn->data_len - conn->request_len;
  assert(buffered_len >= 0);

-  if (conn->content_len == -1) {
+  if (conn->content_len <= 0) {
+    // Protect from negative Content-Length, too
    body_len = 0;
  } else if (conn->content_len < (int64_t) buffered_len) {
    body_len = (int) conn->content_len;

--- a/test/test.pl
+++ b/test/test.pl
@@ -181,6 +181,8 @@ spawn($cmd);
 req('POST ' . '/..' x 100 . 'ABCD' x 3000 . "\n\n", 0); # don't log this one

 o("GET /hello.txt HTTP/1.0\n\n", 'HTTP/1.1 200 OK', 'GET regular file');
+o("GET /hello.txt HTTP/1.0\nContent-Length: -2147483648\n\n",
+  'HTTP/1.1 200 OK', 'Negative content length');
 o("GET /hello.txt HTTP/1.0\n\n", 'Content-Length: 17\s',
  'GET regular file Content-Length');
 o("GET /%68%65%6c%6c%6f%2e%74%78%74 HTTP/1.0\n\n",