BUG/MEDIUM: mux-fcgi: fix uint16_t overflow in drl += drp

The FCGI demux record length field (drl) is uint16_t. In the
ignore_record path, the expression "fconn->drl += fconn->drp" overflows
to 0 when contentLength=65535 and paddingLength>=1. This causes the
state machine to consider the record complete without consuming any
buffer data. The remaining buffer contents are then parsed as new FCGI
record headers.

The same drl+=drp pattern at lines 2382/2418/2475 is not affected
because drl is guaranteed to be 0 at those points (all content bytes
are consumed before reaching end_transfer).

Widen drl from uint16_t to uint32_t so that the addition of drp
(uint8_t, max 255) cannot overflow.

Reported-by: Tristan (@TristanInSec)

diff --git a/src/mux_fcgi.c b/src/mux_fcgi.c
index c956b58add56155ff509159137d7024f5a7af0ca..8d81ff8499dee634b6b4229a2b7b392beda9464b 100644 (file)
--- a/src/mux_fcgi.c
+++ b/src/mux_fcgi.c
@@ -54,7 +54,7 @@ struct fcgi_conn {
        uint32_t flags;                      /* Connection flags: FCGI_CF_* */
 
        int16_t  dsi;                        /* dmux stream ID (<0 = idle ) */
-       uint16_t drl;                        /* demux record length (if dsi >= 0) */
+       uint32_t drl;                        /* demux record length (if dsi >= 0) */
        uint8_t  drt;                        /* demux record type (if dsi >= 0) */
        uint8_t  drp;                        /* demux record padding (if dsi >= 0) */