headers: limit the size of folded headers

Ticket: #6444 So as to limit the quadratic complexity of always reallocating to push more bytes in header value
OISF · Jan 23, 2024 · 20ac301 · 20ac301
1 parent c990dc3
commit 20ac301
Show file tree

Hide file tree

Showing 3 changed files with 19 additions and 8 deletions.
diff --git a/htp/htp_private.h b/htp/htp_private.h
@@ -262,5 +262,8 @@ size_t strlcpy(char *dst, const char *src, size_t size);
 }
 #endif
 
+// as CURL_MAX_HTTP_HEADER
+#define HTP_MAX_HEADER_FOLDED 102400
+
 #endif	/* _HTP_PRIVATE_H */
 
diff --git a/htp/htp_request.c b/htp/htp_request.c
@@ -714,10 +714,14 @@ htp_status_t htp_connp_REQ_HEADERS(htp_connp_t *connp) {
                     connp->in_header = bstr_dup_mem(data + trim, len - trim);
                     if (connp->in_header == NULL) return HTP_ERROR;
                 } else {
-                    // Add to the existing header.                    
-                    bstr *new_in_header = bstr_add_mem(connp->in_header, data, len);
-                    if (new_in_header == NULL) return HTP_ERROR;
-                    connp->in_header = new_in_header;
+                    // Add to the existing header.
+                    if (bstr_len(connp->in_header) < HTP_MAX_HEADER_FOLDED) {
+                        bstr *new_in_header = bstr_add_mem(connp->in_header, data, len);
+                        if (new_in_header == NULL) return HTP_ERROR;
+                        connp->in_header = new_in_header;
+                    } else {
+                        htp_log(connp, HTP_LOG_MARK, HTP_LOG_WARNING, 0, "Request field length exceeds folded maximum");
+                    }
                 }
             }
 

diff --git a/htp/htp_response.c b/htp/htp_response.c
@@ -978,10 +978,14 @@ htp_status_t htp_connp_RES_HEADERS(htp_connp_t *connp) {
                             return HTP_ERROR;
                     } else {
                         // Add to the existing header.
-                        bstr *new_out_header = bstr_add_mem(connp->out_header, data, len);
-                        if (new_out_header == NULL)
-                            return HTP_ERROR;
-                        connp->out_header = new_out_header;
+                        if (bstr_len(connp->out_header) < HTP_MAX_HEADER_FOLDED) {
+                            bstr *new_out_header = bstr_add_mem(connp->out_header, data, len);
+                            if (new_out_header == NULL)
+                                return HTP_ERROR;
+                            connp->out_header = new_out_header;
+                        } else {
+                            htp_log(connp, HTP_LOG_MARK, HTP_LOG_WARNING, 0, "Response field length exceeds folded maximum");
+                        }
                     }
                 }
             }