core: Fix Content-Length parsing

Issue discovered during OpenSIPS Security Audit 2022, by Alfred Farrugia & Sandro Gauci (Enable Security) GHSA-c6j5-f4h4-2xrq (cherry picked from commit 7cab422)
OpenSIPS · Mar 18, 2022 · 87e1f27 · 87e1f27
1 parent 0c37ba4
commit 87e1f27
Showing 1 changed file with 5 additions and 3 deletions.
diff --git a/parser/parse_content.c b/parser/parse_content.c
@@ -241,12 +241,14 @@ char* parse_content_length( char* buffer, char* end, int* length)
 	size = 0;
 	number = 0;
 	while (p<end && *p>='0' && *p<='9') {
-		number = number*10 + (*p)-'0';
-		if (number<0) {
-			LM_ERR("number overflow at pos %d in len number [%.*s]\n",
+		/* do not actually cause an integer overflow, as it is UB! --liviu */
+		if (number > 214748363) {
+			LM_ERR("integer overflow risk at pos %d in len number [%.*s]\n",
 				(int)(p-buffer),(int)(end-buffer), buffer);
 			return 0;
 		}
+
+		number = number*10 + (*p)-'0';
 		size ++;
 		p++;
 	}