[tomcat] branch main updated: Manually merge #548 - Avoid int overflow when parsing octet

Mon, 29 Aug 2022 06:47:13 -0700 

This is an automated email from the ASF dual-hosted git repository.

lihan pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/main by this push:
     new 054abe0fab Manually merge #548 - Avoid int overflow when parsing octet
054abe0fab is described below

commit 054abe0fab178bfdfab005ae75f2317e7ca80151
Author: lihan <li...@apache.org>
AuthorDate: Mon Aug 29 21:43:06 2022 +0800

    Manually merge #548 - Avoid int overflow when parsing octet
---
 java/org/apache/tomcat/util/http/parser/HttpParser.java         | 4 ++++
 test/org/apache/tomcat/util/http/parser/TestHttpParserHost.java | 2 ++
 webapps/docs/changelog.xml                                      | 4 ++++
 3 files changed, 10 insertions(+)

diff --git a/java/org/apache/tomcat/util/http/parser/HttpParser.java 
b/java/org/apache/tomcat/util/http/parser/HttpParser.java
index 4df0467194..21ba58967d 100644
--- a/java/org/apache/tomcat/util/http/parser/HttpParser.java
+++ b/java/org/apache/tomcat/util/http/parser/HttpParser.java
@@ -754,6 +754,10 @@ public class HttpParser {
                     }
                 } else {
                     octet = octet * 10 + c - '0';
+                    // Avoid overflow
+                    if (octet > 255) {
+                        break;
+                    }
                 }
             } else if (c == ':') {
                 break;
diff --git a/test/org/apache/tomcat/util/http/parser/TestHttpParserHost.java 
b/test/org/apache/tomcat/util/http/parser/TestHttpParserHost.java
index e5b9bc0572..fa6e0634a8 100644
--- a/test/org/apache/tomcat/util/http/parser/TestHttpParserHost.java
+++ b/test/org/apache/tomcat/util/http/parser/TestHttpParserHost.java
@@ -78,6 +78,8 @@ public class TestHttpParserHost {
         result.add(new Object[] { TestType.IPv4, "0.a.0.0:8080", 
Integer.valueOf(7), null} );
         result.add(new Object[] { TestType.IPv4, "localhost", 
Integer.valueOf(-1), null} );
         result.add(new Object[] { TestType.IPv4, "localhost:8080", 
Integer.valueOf(9), null} );
+        result.add(new Object[] { TestType.IPv4, "4294967295.localhost", 
Integer.valueOf(-1), null} );
+        result.add(new Object[] { TestType.IPv4, "4294967295.com", 
Integer.valueOf(-1), null} );
         result.add(new Object[] { TestType.IPv4, "tomcat.apache.org", 
Integer.valueOf(-1), null} );
         result.add(new Object[] { TestType.IPv4, "tomcat.apache.org:8080", 
Integer.valueOf(17), null} );
         result.add(new Object[] { TestType.IPv4, "0.0.0.com", 
Integer.valueOf(-1), null} );
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 7d0db6d06e..d198c4f76b 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -203,6 +203,10 @@
         errors) via a <code>UserDataHelper</code> to broadly align it with the
         behaviour of HTTP/1.1 for parsing issues and exceeding limits. (markt)
       </fix>
+      <fix>
+        <bug>66240</bug>: Avoid int overflow when parsing octets by limiting
+        the maximum value to 255. Based on a PR <pr>548</pr> by Stefan Mayr. 
(lihan)
+      </fix>
     </changelog>
   </subsection>
   <subsection name="Jasper">


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to