From: Yann Ylavic <ylavic@apache.org>
Date: Wed, 20 May 2020 14:13:09 +0000 (+0000)
Subject: core, protocol: reject invalid Content-Length ASAP.
X-Git-Tag: 2.5.0-alpha2-ci-test-only~1427
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2efe92b51dc4c33c907c9b8c17cb5038aad8038c;p=thirdparty%2Fapache%2Fhttpd.git

core, protocol: reject invalid Content-Length ASAP.

Don't let invalid invalid Content-Length header go beyond ap_read_request()
and protocol validation. The check in ap_http_filter() is still useful if
some modules mangles the header, but it's too late for the usual case.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1877955 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/server/protocol.c b/server/protocol.c
index aeff2d20020..76baabbe291 100644
--- a/server/protocol.c
+++ b/server/protocol.c
@@ -1493,7 +1493,7 @@ request_rec *ap_read_request(conn_rec *conn)
     apply_server_config(r);
 
     if (!r->assbackwards) {
-        const char *tenc;
+        const char *tenc, *clen;
 
         ap_get_mime_headers_core(r, tmp_bb);
         apr_brigade_cleanup(tmp_bb);
@@ -1528,6 +1528,17 @@ request_rec *ap_read_request(conn_rec *conn)
              */
             apr_table_unset(r->headers_in, "Content-Length");
         }
+        else if ((clen = apr_table_get(r->headers_in, "Content-Length"))) {
+            apr_off_t cl;
+
+            if (!ap_parse_strict_length(&cl, clen)) {
+                ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(10242)
+                              "client sent invalid Content-Length "
+                              "(%s): %s", clen, r->uri);
+                access_status = HTTP_BAD_REQUEST;
+                goto die_unusable_input;
+            }
+        }
     }
 
     /*