didn't have much choice but to branch that file. this is already committed
to HEAD.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/unlabeled-1.436.2@95741 13f79535-47bb-0310-9956-ffa450edef68
diff --git a/modules/http/http_protocol.c b/modules/http/http_protocol.c
index 7cdc2b8..73e77c0 100644
--- a/modules/http/http_protocol.c
+++ b/modules/http/http_protocol.c
@@ -794,14 +794,37 @@
}
else if (lenp) {
const char *pos = lenp;
+ int conversion_error = 0;
+ /* This ensures that the number can not be negative. */
while (apr_isdigit(*pos) || apr_isspace(*pos)) {
++pos;
}
if (*pos == '\0') {
+ char *endstr;
ctx->state = BODY_LENGTH;
- ctx->remaining = atol(lenp);
+ ctx->remaining = strtol(lenp, &endstr, 10);
+
+ if (errno == ERANGE) {
+ conversion_error = 1;
+ }
+ }
+
+ if (*pos != '\0' || conversion_error) {
+ apr_bucket_brigade *bb;
+
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, f->r,
+ "Invalid Content-Length");
+
+ bb = apr_brigade_create(f->r->pool, f->c->bucket_alloc);
+ e = ap_bucket_error_create(HTTP_REQUEST_ENTITY_TOO_LARGE, NULL,
+ f->r->pool, f->c->bucket_alloc);
+ APR_BRIGADE_INSERT_TAIL(bb, e);
+ e = apr_bucket_eos_create(f->c->bucket_alloc);
+ APR_BRIGADE_INSERT_TAIL(bb, e);
+ ctx->eos_sent = 1;
+ return ap_pass_brigade(f->r->output_filters, bb);
}
/* If we have a limit in effect and we know the C-L ahead of
@@ -1683,17 +1706,26 @@
}
else if (lenp) {
const char *pos = lenp;
+ int conversion_error = 0;
while (apr_isdigit(*pos) || apr_isspace(*pos)) {
++pos;
}
- if (*pos != '\0') {
- ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
- "Invalid Content-Length %s", lenp);
- return HTTP_BAD_REQUEST;
+
+ if (*pos == '\0') {
+ char *endstr;
+ r->remaining = strtol(lenp, &endstr, 10);
+
+ if (errno == ERANGE || errno == EINVAL) {
+ conversion_error = 1;
+ }
}
- r->remaining = atol(lenp);
+ if (*pos != '\0' || conversion_error) {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+ "Invalid Content-Length");
+ return HTTP_BAD_REQUEST;
+ }
}
if ((r->read_body == REQUEST_NO_BODY)
