You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by li...@apache.org on 2022/08/29 13:46:31 UTC
[tomcat] branch 10.0.x updated: Manually merge #548 - Avoid int overflow when parsing octet
This is an automated email from the ASF dual-hosted git repository.
lihan pushed a commit to branch 10.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/10.0.x by this push:
new fb4d9198de Manually merge #548 - Avoid int overflow when parsing octet
fb4d9198de is described below
commit fb4d9198de7bd8b2ad144c6aa728de874448d278
Author: lihan <li...@apache.org>
AuthorDate: Mon Aug 29 21:43:06 2022 +0800
Manually merge #548 - Avoid int overflow when parsing octet
---
java/org/apache/tomcat/util/http/parser/HttpParser.java | 4 ++++
test/org/apache/tomcat/util/http/parser/TestHttpParserHost.java | 2 ++
webapps/docs/changelog.xml | 4 ++++
3 files changed, 10 insertions(+)
diff --git a/java/org/apache/tomcat/util/http/parser/HttpParser.java b/java/org/apache/tomcat/util/http/parser/HttpParser.java
index 4df0467194..21ba58967d 100644
--- a/java/org/apache/tomcat/util/http/parser/HttpParser.java
+++ b/java/org/apache/tomcat/util/http/parser/HttpParser.java
@@ -754,6 +754,10 @@ public class HttpParser {
}
} else {
octet = octet * 10 + c - '0';
+ // Avoid overflow
+ if (octet > 255) {
+ break;
+ }
}
} else if (c == ':') {
break;
diff --git a/test/org/apache/tomcat/util/http/parser/TestHttpParserHost.java b/test/org/apache/tomcat/util/http/parser/TestHttpParserHost.java
index e5b9bc0572..fa6e0634a8 100644
--- a/test/org/apache/tomcat/util/http/parser/TestHttpParserHost.java
+++ b/test/org/apache/tomcat/util/http/parser/TestHttpParserHost.java
@@ -78,6 +78,8 @@ public class TestHttpParserHost {
result.add(new Object[] { TestType.IPv4, "0.a.0.0:8080", Integer.valueOf(7), null} );
result.add(new Object[] { TestType.IPv4, "localhost", Integer.valueOf(-1), null} );
result.add(new Object[] { TestType.IPv4, "localhost:8080", Integer.valueOf(9), null} );
+ result.add(new Object[] { TestType.IPv4, "4294967295.localhost", Integer.valueOf(-1), null} );
+ result.add(new Object[] { TestType.IPv4, "4294967295.com", Integer.valueOf(-1), null} );
result.add(new Object[] { TestType.IPv4, "tomcat.apache.org", Integer.valueOf(-1), null} );
result.add(new Object[] { TestType.IPv4, "tomcat.apache.org:8080", Integer.valueOf(17), null} );
result.add(new Object[] { TestType.IPv4, "0.0.0.com", Integer.valueOf(-1), null} );
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 4c77efa327..b71bf80807 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -203,6 +203,10 @@
errors) via a <code>UserDataHelper</code> to broadly align it with the
behaviour of HTTP/1.1 for parsing issues and exceeding limits. (markt)
</fix>
+ <fix>
+ <bug>66240</bug>: Avoid int overflow when parsing octets by limiting
+ the maximum value to 255. Based on a PR <pr>548</pr> by Stefan Mayr. (lihan)
+ </fix>
</changelog>
</subsection>
<subsection name="Jasper">
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org