From b2b864e489b00185f7139a5b3de099598dbecdad Mon Sep 17 00:00:00 2001 From: Eric Wong Date: Sat, 5 Apr 2025 17:44:13 +0000 Subject: [PATCH] http: refuse to deal with >4GB chunks in uploads The `hex' perlop will return an NV (typically 64-bit double) on UV (unsigned int) overflow and warns on larger values. While 64-bit integer builds of 32-bit perl (e.g. Debian i386) can handle 64-bit numbers, there are builds of perl which still use 32-bit integers nowadays (e.g. OpenBSD 7.x i386). It's unlikely we'll ever see chunks even close to 4GB, so just cap it at 8 hex characters and drop clients which send larger amounts. --- lib/PublicInbox/HTTP.pm | 1 + 1 file changed, 1 insertion(+) diff --git a/lib/PublicInbox/HTTP.pm b/lib/PublicInbox/HTTP.pm index fd9021d61..7bee0b0a0 100644 --- a/lib/PublicInbox/HTTP.pm +++ b/lib/PublicInbox/HTTP.pm @@ -432,6 +432,7 @@ sub read_input_chunked { # unlikely... } if ($len == CHUNK_START) { if ($$rbuf =~ s/\A([a-f0-9]+).*?\r\n//i) { + return quit($self, 400) if length($1) > 8; $len = hex $1; if (($len + -s $input) > $MAX_REQUEST_BUFFER) { return quit($self, 413); -- 2.47.2