Content length verifier negative check #361
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Can one of the admins verify this patch? |
8 similar comments
|
Can one of the admins verify this patch? |
|
Can one of the admins verify this patch? |
|
Can one of the admins verify this patch? |
|
Can one of the admins verify this patch? |
|
Can one of the admins verify this patch? |
|
Can one of the admins verify this patch? |
|
Can one of the admins verify this patch? |
|
Can one of the admins verify this patch? |
rnro
force-pushed
the
ContentLengthVerifierNegativeCheck
branch
2 times, most recently
from
dbd8c37
to
d734101
Compare
Motivation: We discovered that this code path can result in an arithmetic overflow in the case where the content-length header has INT_MIN value. Since negative content-lengths don't have any meaning anyway we may as well throw if we encounter one so the decoding can be aborted. Modifications: * ContentLengthVerifier init throws a `ContentLengthHeaderNegative` error when the decoded value is < 0. * ContentLengthVerifier init throws a `ContentLengthHeaderMalformedValue` error when the value cannot be decoded, e.g. it is out of bounds for Int or is an invalid string. Result: We will no longer panic for INT_MIN content-lengths and will fail decoding if one of various invalid values is encountered.
rnro
force-pushed
the
ContentLengthVerifierNegativeCheck
branch
from
d734101
to
ea77144
Compare
Lukasa
approved these changes
Nov 25, 2022
dnadoba
reviewed
Nov 25, 2022
Comment on lines
61
to
+68
| self.expectedContentLength = Int(first, radix: 10) | ||
|
|
||
| guard let expectedLength = self.expectedContentLength else { | ||
| throw NIOHTTP2Errors.contentLengthHeaderMalformedValue() | ||
| } | ||
| if expectedLength < 0 { | ||
| throw NIOHTTP2Errors.contentLengthHeaderNegative() | ||
| } |
There was a problem hiding this comment.
Note: more of a felling then an actual rule I follow
I usually only assign after the value is fully validated. It doesn't really matter but it signals to me at least that once it is assigned I'm done with it.
Suggested change
| self.expectedContentLength = Int(first, radix: 10) | |
| guard let expectedLength = self.expectedContentLength else { | |
| throw NIOHTTP2Errors.contentLengthHeaderMalformedValue() | |
| } | |
| if expectedLength < 0 { | |
| throw NIOHTTP2Errors.contentLengthHeaderNegative() | |
| } | |
| guard let expectedLength = Int(first, radix: 10) else { | |
| throw NIOHTTP2Errors.contentLengthHeaderMalformedValue() | |
| } | |
| if expectedLength < 0 { | |
| throw NIOHTTP2Errors.contentLengthHeaderNegative() | |
| } | |
| self.expectedContentLength = expectedLength |
glbrntt
added
the
🔼 needs-minor-version-bump
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
ContentLengthVerifierinitthrows on negative valuesMotivation:
We discovered that this code path can result in an arithmetic overflow in the case where the content-length header has
INT_MINvalue. Since negative content-lengths don't have any meaning anyway we may as well throw if we encounter one so the decoding can be aborted.Modifications:
ContentLengthHeaderNegativeerror when the decoded value is < 0.ContentLengthHeaderMalformedValueerror when the value cannot be decoded, e.g. it is out of bounds for Int or is an invalid string.Result:
We will no longer panic for
INT_MINcontent-lengths and will fail decoding if one of various invalid values is encountered.