wget-dev
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: wget2 | Fixed data corruption bugs in transfer encoding chunked code

From: Tim Rühsen
Subject: Re: wget2 | Fixed data corruption bugs in transfer encoding chunked code (!480)
Date: Sun, 24 Jan 2021 12:45:53 +0000 


Tim Rühsen started a new discussion on libwget/http.c: 
https://gitlab.com/gnuwget/wget2/-/merge_requests/480#note_492573023

>                               if (conn->abort_indicator || abort_indicator)
>                                       goto cleanup;
>  
> +                             if (body_len + 1024 > bufsize) {
> +                                     if 
> (wget_buffer_ensure_capacity(conn->buf, bufsize + 1024) != WGET_E_SUCCESS) {

Adding more and more capacity to the buffer allows a DOS attack from the server 
(sending endless data without \r\n inside).

A simple solution could be to skip the chunk-extension by using a fixed size 
stack buffer and by limiting the chunk-size to a certain amount of bytes 
(reasonable size like 16 hex bytes == 64bit size).

I would like to address this later together with adding some tests for the 
corner cases.

-- 
Reply to this email directly or view it on GitLab: 
https://gitlab.com/gnuwget/wget2/-/merge_requests/480#note_492573023
You're receiving this email because of your account on gitlab.com.
reply via email to
[Prev in Thread] Current Thread [Next in Thread]