http: fixes overflow in range parsing

author Philippe Antoine <contact@catenacyber.fr>

Fri, 5 Jul 2019 06:34:06 +0000 (08:34 +0200)

committer Victor Julien <victor@inliniac.net>

Fri, 12 Jul 2019 07:54:53 +0000 (09:54 +0200)
author Philippe Antoine <contact@catenacyber.fr>
Fri, 5 Jul 2019 06:34:06 +0000 (08:34 +0200)
committer Victor Julien <victor@inliniac.net>
Fri, 12 Jul 2019 07:54:53 +0000 (09:54 +0200)
diff --git a/src/app-layer-htp-file.c b/src/app-layer-htp-file.c

index a04196a74adfdbc021d452f26498ad68ec8778e3..2f367daf7fbea37868547258688cc385ab0a234e 100644 (file)
--- a/src/app-layer-htp-file.c
+++ b/src/app-layer-htp-file.c
@@ -186,7 +186,7 @@ int HTPParseContentRange(bstr * rawvalue, HtpContentRange *range)
  
      if (data[pos] == '*') {
          // case with size only
-        if (len < pos + 1 || data[pos+1] != '/') {
+        if (len <= pos + 1 || data[pos+1] != '/') {
              range->size = -1;
              return -1;
          }
@@ -196,13 +196,13 @@ int HTPParseContentRange(bstr * rawvalue, HtpContentRange *range)
          // case with start and end
          range->start = bstr_util_mem_to_pint(data + pos, len - pos, 10, &last_pos);
          pos += last_pos;
-        if (len < pos + 1 || data[pos] != '-') {
+        if (len <= pos + 1 || data[pos] != '-') {
              return -1;
          }
          pos++;
          range->end = bstr_util_mem_to_pint(data + pos, len - pos, 10, &last_pos);
          pos += last_pos;
-        if (len < pos + 1 || data[pos] != '/') {
+        if (len <= pos + 1 || data[pos] != '/') {
              return -1;
          }
          pos++;
author	Philippe Antoine <contact@catenacyber.fr>
	Fri, 5 Jul 2019 06:34:06 +0000 (08:34 +0200)
committer	Victor Julien <victor@inliniac.net>
	Fri, 12 Jul 2019 07:54:53 +0000 (09:54 +0200)