aboutsummaryrefslogtreecommitdiff
path: root/lib
diff options
context:
space:
mode:
authorDaniel Stenberg <daniel@haxx.se>2017-07-31 17:11:18 +0200
committerDaniel Stenberg <daniel@haxx.se>2017-07-31 18:37:43 +0200
commit909283ae5a057487265ce9d8b684cf01451d096a (patch)
tree4870905c1772daf6d56d2e645ede547c7fbfcacb /lib
parent512f8c774a8ae541d2e4fbccdd94e4bb0d39e90c (diff)
http: fix response code parser to avoid integer overflow
test 1429 and 1433 were updated to work with the stricter HTTP status line parser. Closes #1714 Reported-by: Brian Carpenter
Diffstat (limited to 'lib')
-rw-r--r--lib/http.c15
1 files changed, 11 insertions, 4 deletions
diff --git a/lib/http.c b/lib/http.c
index 319a8192c..d66b8482f 100644
--- a/lib/http.c
+++ b/lib/http.c
@@ -3322,19 +3322,22 @@ CURLcode Curl_http_readwrite_headers(struct Curl_easy *data,
* says. We try to allow any number here, but we cannot make
* guarantees on future behaviors since it isn't within the protocol.
*/
+ char separator;
nc = sscanf(HEADER1,
- " HTTP/%d.%d %d",
+ " HTTP/%1d.%1d%c%3d",
&httpversion_major,
&conn->httpversion,
+ &separator,
&k->httpcode);
if(nc == 1 && httpversion_major == 2 &&
1 == sscanf(HEADER1, " HTTP/2 %d", &k->httpcode)) {
conn->httpversion = 0;
- nc = 3;
+ nc = 4;
+ separator = ' ';
}
- if(nc==3) {
+ if((nc==4) && (' ' == separator)) {
conn->httpversion += 10 * httpversion_major;
if(k->upgr101 == UPGR101_RECEIVED) {
@@ -3343,7 +3346,7 @@ CURLcode Curl_http_readwrite_headers(struct Curl_easy *data,
infof(data, "Lying server, not serving HTTP/2\n");
}
}
- else {
+ else if(!nc) {
/* this is the real world, not a Nirvana
NCSA 1.5.x returns this crap when asked for HTTP/1.1
*/
@@ -3361,6 +3364,10 @@ CURLcode Curl_http_readwrite_headers(struct Curl_easy *data,
}
}
}
+ else {
+ failf(data, "Unsupported HTTP version in response\n");
+ return CURLE_UNSUPPORTED_PROTOCOL;
+ }
}
else if(conn->handler->protocol & CURLPROTO_RTSP) {
nc = sscanf(HEADER1,