fix: buffer overflow in multipart body proc#3546
fix: buffer overflow in multipart body proc#3546airween wants to merge 3 commits intoowasp-modsecurity:v3/masterfrom
Conversation
There was a problem hiding this comment.
Pull request overview
Fixes a potential out-of-bounds read/heap buffer overflow in multipart Content-Disposition parsing, based on an external bug report.
Changes:
- Adds an explicit
*(p+2) == '\0'guard before validating the second hex digit infilename*percent-escapes. - Avoids incrementing
ppast the string terminator when a quoted parameter value is missing a closing quote.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| if (*p == quote) { | ||
| p++; /* go over the quote at the end */ | ||
| } | ||
|
|
There was a problem hiding this comment.
The PR addresses out-of-bounds reads in Content-Disposition parsing; adding regression cases for (1) filename* values ending with an incomplete percent-escape (e.g. trailing %A) and (2) quoted values missing a terminating quote would help ensure this remains fixed (especially under ASAN/UBSAN).
| if (*p == quote) { | |
| p++; /* go over the quote at the end */ | |
| } | |
| if (*p == '\0') { | |
| /* missing terminating quote */ | |
| return -7; | |
| } | |
| p++; /* go over the quote at the end */ |
There was a problem hiding this comment.
I'm not sure this is a valid case, multipart header can contain urlencoded text, but the parser's task process it as is.
This suggestion removes that very important condition, I'm afraid that could make the parser wrong.
|
what
This PR fixes a possible heap buffer overflow in multipart body processor.
why
There is a bug report, received in email from @fumfel and his team. Also they provided this fix.
references
The original report:
other notes
After a review and a short discussion, @fumfel and his team confirmed that this issue can occur if the source code was built with ASAN flags.