[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: wget2 | Fixed data corruption bugs in transfer encoding chunked code
From: |
Tim Rühsen |
Subject: |
Re: wget2 | Fixed data corruption bugs in transfer encoding chunked code (!480) |
Date: |
Sun, 24 Jan 2021 12:45:53 +0000 |
Tim Rühsen started a new discussion on libwget/http.c:
https://gitlab.com/gnuwget/wget2/-/merge_requests/480#note_492573023
> if (conn->abort_indicator || abort_indicator)
> goto cleanup;
>
> + if (body_len + 1024 > bufsize) {
> + if
> (wget_buffer_ensure_capacity(conn->buf, bufsize + 1024) != WGET_E_SUCCESS) {
Adding more and more capacity to the buffer allows a DOS attack from the server
(sending endless data without \r\n inside).
A simple solution could be to skip the chunk-extension by using a fixed size
stack buffer and by limiting the chunk-size to a certain amount of bytes
(reasonable size like 16 hex bytes == 64bit size).
I would like to address this later together with adding some tests for the
corner cases.
--
Reply to this email directly or view it on GitLab:
https://gitlab.com/gnuwget/wget2/-/merge_requests/480#note_492573023
You're receiving this email because of your account on gitlab.com.