File bsc854443-part1.patch of Package libmicrohttpd
From 4245c6e9c371a8434b13a37edbc4e6dc239813da Mon Sep 17 00:00:00 2001
From: Christian Grothoff <christian@grothoff.org>
Date: Fri, 29 Nov 2013 19:18:51 +0000
Subject: eliminate theoretical stack overflow
diff --git a/src/microhttpd/digestauth.c b/src/microhttpd/digestauth.c
index 77f6e3b..5cef1cf 100644
--- a/src/microhttpd/digestauth.c
+++ b/src/microhttpd/digestauth.c
@@ -593,32 +593,42 @@ MHD_digest_auth_check (struct MHD_Connection *connection,
{
char r[MAX_REALM_LENGTH];
- len = lookup_sub_value(r,
+ len = lookup_sub_value(r,
sizeof (r),
- header, "realm");
- if ( (0 == len) ||
+ header, "realm");
+ if ( (0 == len) ||
(0 != strcmp(realm, r)) )
return MHD_NO;
left -= strlen ("realm") + len;
}
- if (0 == (len = lookup_sub_value (nonce,
+ if (0 == (len = lookup_sub_value (nonce,
sizeof (nonce),
header, "nonce")))
return MHD_NO;
left -= strlen ("nonce") + len;
-
+ if (left > 32 * 1024)
{
- char uri[left];
-
- if (0 == lookup_sub_value(uri,
- sizeof (uri),
- header, "uri"))
+ /* we do not permit URIs longer than 32k, as we want to
+ make sure to not blow our stack (or per-connection
+ heap memory limit). Besides, 32k is already insanely
+ large, but of course in theory the
+ #MHD_OPTION_CONNECTION_MEMORY_LIMIT might be very large
+ and would thus permit sending a >32k authorization
+ header value. */
+ return MHD_NO;
+ }
+ {
+ char uri[left];
+
+ if (0 == lookup_sub_value (uri,
+ sizeof (uri),
+ header, "uri"))
return MHD_NO;
-
- /* 8 = 4 hexadecimal numbers for the timestamp */
- nonce_time = strtoul(nonce + len - 8, (char **)NULL, 16);
- t = (uint32_t) MHD_monotonic_time();
+
+ /* 8 = 4 hexadecimal numbers for the timestamp */
+ nonce_time = strtoul (nonce + len - 8, (char **)NULL, 16);
+ t = (uint32_t) MHD_monotonic_time();
/*
* First level vetting for the nonce validity if the timestamp
* attached to the nonce exceeds `nonce_timeout' then the nonce is
--
cgit v0.10.2
