From 909283ae5a057487265ce9d8b684cf01451d096a Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Mon, 31 Jul 2017 17:11:18 +0200 Subject: http: fix response code parser to avoid integer overflow test 1429 and 1433 were updated to work with the stricter HTTP status line parser. Closes #1714 Reported-by: Brian Carpenter --- lib/http.c | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) (limited to 'lib/http.c') diff --git a/lib/http.c b/lib/http.c index 319a8192c..d66b8482f 100644 --- a/lib/http.c +++ b/lib/http.c @@ -3322,19 +3322,22 @@ CURLcode Curl_http_readwrite_headers(struct Curl_easy *data, * says. We try to allow any number here, but we cannot make * guarantees on future behaviors since it isn't within the protocol. */ + char separator; nc = sscanf(HEADER1, - " HTTP/%d.%d %d", + " HTTP/%1d.%1d%c%3d", &httpversion_major, &conn->httpversion, + &separator, &k->httpcode); if(nc == 1 && httpversion_major == 2 && 1 == sscanf(HEADER1, " HTTP/2 %d", &k->httpcode)) { conn->httpversion = 0; - nc = 3; + nc = 4; + separator = ' '; } - if(nc==3) { + if((nc==4) && (' ' == separator)) { conn->httpversion += 10 * httpversion_major; if(k->upgr101 == UPGR101_RECEIVED) { @@ -3343,7 +3346,7 @@ CURLcode Curl_http_readwrite_headers(struct Curl_easy *data, infof(data, "Lying server, not serving HTTP/2\n"); } } - else { + else if(!nc) { /* this is the real world, not a Nirvana NCSA 1.5.x returns this crap when asked for HTTP/1.1 */ @@ -3361,6 +3364,10 @@ CURLcode Curl_http_readwrite_headers(struct Curl_easy *data, } } } + else { + failf(data, "Unsupported HTTP version in response\n"); + return CURLE_UNSUPPORTED_PROTOCOL; + } } else if(conn->handler->protocol & CURLPROTO_RTSP) { nc = sscanf(HEADER1, -- cgit v1.2.3