From: manu <manu@unknown>
Date: Tue, 7 Mar 2023 01:51:02 +0000 (+0000)
Subject: Use ap_parse_strict_length() to parse client-supplied Content-Length
X-Git-Tag: 2.5.0-alpha2-ci-test-only~73
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e653b97abc5cb3e4f29e6a4a92bac098fbb5a2c1;p=thirdparty%2Fapache%2Fhttpd.git

Use ap_parse_strict_length() to parse client-supplied Content-Length


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1908144 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/modules/dav/fs/quota.c b/modules/dav/fs/quota.c
index 37cbb6cf146..8dedfeae610 100644
--- a/modules/dav/fs/quota.c
+++ b/modules/dav/fs/quota.c
@@ -320,12 +320,20 @@ int dav_fs_quota_precondition(request_rec *r,
         /*
          * If PUT has Content-Length, we can forecast overquota
          */
-        if ((lenhdr = apr_table_get(r->headers_in, "Content-Length")) &&
-            (atol(lenhdr) > available_bytes)) {
-            status = HTTP_INSUFFICIENT_STORAGE;
-            *err = dav_new_error_tag(r->pool, status, 0, 0,
-                                     msg, NULL, tag);
-            goto out;
+        if (lenhdr = apr_table_get(r->headers_in, "Content-Length")) {
+            if (!ap_parse_strict_length(&size, lenhdr)) {
+                status = HTTP_BAD_REQUEST;
+                *err = dav_new_error(r->pool, status, 0, 0,
+                                     "client sent invalid Content-Length");
+                goto out;
+            }
+
+            if (size > available_bytes) {
+                status = HTTP_INSUFFICIENT_STORAGE;
+                *err = dav_new_error_tag(r->pool, status, 0, 0,
+                                         msg, NULL, tag);
+                goto out;
+            }
         }
         break;
     case M_COPY: /* FALLTHROUGH */