diff options
author | Emmanuel Fleury <emmanuel.fleury@gmail.com> | 2021-02-09 18:07:20 +0000 |
---|---|---|
committer | Philip Withnall <philip@tecnocode.co.uk> | 2021-02-09 18:07:20 +0000 |
commit | a5e3be4a0cd4f75192694e505e89172bb4357f59 (patch) | |
tree | c3de2ea55af9a9b074bb91a2aa25db24fb9d4b9a | |
parent | 3e5e7aa8e97526ba26c293a86877144c8b983720 (diff) | |
download | glib-a5e3be4a0cd4f75192694e505e89172bb4357f59.tar.gz |
Adding a missing test on integer overflow within g_http_proxy_connect()
Fixes #2315
-rw-r--r-- | gio/ghttpproxy.c | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/gio/ghttpproxy.c b/gio/ghttpproxy.c index cd0bda4e6..505a8fecb 100644 --- a/gio/ghttpproxy.c +++ b/gio/ghttpproxy.c @@ -255,6 +255,17 @@ g_http_proxy_connect (GProxy *proxy, if (bytes_read == buffer_length) { + /* HTTP specifications does not defines any upper limit for + * headers. But, the most usual size used seems to be 8KB. + * Yet, the biggest we found was Tomcat's HTTP headers whose + * size is 48K. So, for a reasonable error margin, let's accept + * a header with a twice as large size but no more: 96KB */ + if (buffer_length > 98304) + { + g_set_error_literal (error, G_IO_ERROR, G_IO_ERROR_PROXY_FAILED, + _("HTTP proxy response too big")); + goto error; + } buffer_length = 2 * buffer_length; buffer = g_realloc (buffer, buffer_length); } |