[tomcat] branch 8.5.x updated: Manually merge #548 - Avoid int overflow when parsing octet

Mon, 29 Aug 2022 06:48:15 -0700 

This is an automated email from the ASF dual-hosted git repository.

lihan pushed a commit to branch 8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/8.5.x by this push:
     new 44263ecce6 Manually merge #548 - Avoid int overflow when parsing octet
44263ecce6 is described below

commit 44263ecce6f7dd3a9e99a4d8a1f36533f5434a30
Author: lihan <li...@apache.org>
AuthorDate: Mon Aug 29 21:43:06 2022 +0800

    Manually merge #548 - Avoid int overflow when parsing octet
---
 java/org/apache/tomcat/util/http/parser/HttpParser.java         | 4 ++++
 test/org/apache/tomcat/util/http/parser/TestHttpParserHost.java | 2 ++
 webapps/docs/changelog.xml                                      | 4 ++++
 3 files changed, 10 insertions(+)

diff --git a/java/org/apache/tomcat/util/http/parser/HttpParser.java 
b/java/org/apache/tomcat/util/http/parser/HttpParser.java
index 2b6dae5264..32b3a6cd60 100644
--- a/java/org/apache/tomcat/util/http/parser/HttpParser.java
+++ b/java/org/apache/tomcat/util/http/parser/HttpParser.java
@@ -774,6 +774,10 @@ public class HttpParser {
                     }
                 } else {
                     octet = octet * 10 + c - '0';
+                    // Avoid overflow
+                    if (octet > 255) {
+                        break;
+                    }
                 }
             } else if (c == ':') {
                 break;
diff --git a/test/org/apache/tomcat/util/http/parser/TestHttpParserHost.java 
b/test/org/apache/tomcat/util/http/parser/TestHttpParserHost.java
index a162472551..401d647932 100644
--- a/test/org/apache/tomcat/util/http/parser/TestHttpParserHost.java
+++ b/test/org/apache/tomcat/util/http/parser/TestHttpParserHost.java
@@ -78,6 +78,8 @@ public class TestHttpParserHost {
         result.add(new Object[] { TestType.IPv4, "0.a.0.0:8080", 
Integer.valueOf(7), null} );
         result.add(new Object[] { TestType.IPv4, "localhost", 
Integer.valueOf(-1), null} );
         result.add(new Object[] { TestType.IPv4, "localhost:8080", 
Integer.valueOf(9), null} );
+        result.add(new Object[] { TestType.IPv4, "4294967295.localhost", 
Integer.valueOf(-1), null} );
+        result.add(new Object[] { TestType.IPv4, "4294967295.com", 
Integer.valueOf(-1), null} );
         result.add(new Object[] { TestType.IPv4, "tomcat.apache.org", 
Integer.valueOf(-1), null} );
         result.add(new Object[] { TestType.IPv4, "tomcat.apache.org:8080", 
Integer.valueOf(17), null} );
         result.add(new Object[] { TestType.IPv4, "0.0.0.com", 
Integer.valueOf(-1), null} );
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index cda85a0fcb..62c72ec1a8 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -157,6 +157,10 @@
         errors) via a <code>UserDataHelper</code> to broadly align it with the
         behaviour of HTTP/1.1 for parsing issues and exceeding limits. (markt)
       </fix>
+      <fix>
+        <bug>66240</bug>: Avoid int overflow when parsing octets by limiting
+        the maximum value to 255. Based on a PR <pr>548</pr> by Stefan Mayr. 
(lihan)
+      </fix>
     </changelog>
   </subsection>
   <subsection name="Jasper">


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to