Adding a missing test on integer overflow within g_http_proxy_connect()

Fixes #2315
author: Emmanuel Fleury <emmanuel.fleury@gmail.com> 2021-02-09 18:07:20 +0000
committer: Philip Withnall <philip@tecnocode.co.uk> 2021-02-09 18:07:20 +0000
commit: a5e3be4a0cd4f75192694e505e89172bb4357f59 (patch)
tree: c3de2ea55af9a9b074bb91a2aa25db24fb9d4b9a
parent: 3e5e7aa8e97526ba26c293a86877144c8b983720 (diff)
download: glib-a5e3be4a0cd4f75192694e505e89172bb4357f59.tar.gz
1 files changed, 11 insertions, 0 deletions
diff --git a/gio/ghttpproxy.c b/gio/ghttpproxy.c
index cd0bda4e6..505a8fecb 100644
--- a/gio/ghttpproxy.c
+++ b/gio/ghttpproxy.c
@@ -255,6 +255,17 @@ g_http_proxy_connect (GProxy         *proxy,
 
       if (bytes_read == buffer_length)
         {
+          /* HTTP specifications does not defines any upper limit for
+           * headers. But, the most usual size used seems to be 8KB.
+           * Yet, the biggest we found was Tomcat's HTTP headers whose
+           * size is 48K. So, for a reasonable error margin, let's accept
+           * a header with a twice as large size but no more: 96KB */
+          if (buffer_length > 98304)
+            {
+              g_set_error_literal (error, G_IO_ERROR, G_IO_ERROR_PROXY_FAILED,
+                                   _("HTTP proxy response too big"));
+              goto error;
+            }
           buffer_length = 2 * buffer_length;
           buffer = g_realloc (buffer, buffer_length);
         }
author	Emmanuel Fleury <emmanuel.fleury@gmail.com>	2021-02-09 18:07:20 +0000
committer	Philip Withnall <philip@tecnocode.co.uk>	2021-02-09 18:07:20 +0000
commit	a5e3be4a0cd4f75192694e505e89172bb4357f59 (patch)
tree	c3de2ea55af9a9b074bb91a2aa25db24fb9d4b9a
parent	3e5e7aa8e97526ba26c293a86877144c8b983720 (diff)
download	glib-a5e3be4a0cd4f75192694e505e89172bb4357f59.tar.gz