From baeb764635bda5d9bbec57b107f26efb6b115727 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Thu, 16 Apr 2026 17:54:03 +0200 Subject: [PATCH] report: limit server answer to 1 MiB As suggested in review. --- src/report/report-upload.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/src/report/report-upload.c b/src/report/report-upload.c index 3022bd30493..218742f540c 100644 --- a/src/report/report-upload.c +++ b/src/report/report-upload.c @@ -14,6 +14,8 @@ #include "curl-util.h" #include /* Sadly this fails if ordered first. */ +#define SERVER_ANSWER_MAX (1*1024*1024u) + static size_t output_callback(char *buf, size_t size, size_t nmemb, @@ -27,6 +29,13 @@ static size_t output_callback(char *buf, log_debug("Got an answer from the server (%zu bytes)", nmemb); if (nmemb != 0) { + size_t new_size = size_add(iovw_size(&context->upload_answer), nmemb); + + if (new_size > SERVER_ANSWER_MAX) { + log_warning("Server answer too long (%zu > %u), refusing.", new_size, SERVER_ANSWER_MAX); + return 0; + } + if (memchr(buf, 0, nmemb)) { log_warning("Server answer contains an embedded NUL, refusing."); return 0; -- 2.47.3