Skip to content

F-4985 Integer Overflow #235

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
cconlon merged 1 commit into from
May 29, 2026
+10 −2
Merged

F-4985 Integer Overflow #235

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 10 additions & 2 deletions src/tools/clu_http.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -257,6 +257,11 @@ SOCKET_T wolfCLU_ServerAccept(SOCKET_T serverfd)
* @param buffer buffer to store request
* @param bufferSz size of buffer
* @return number of bytes received, or negative on error
*
* @note If Content-Length is larger than receive buffer,
* contentLen is clamped to available space. Callers must
* re-validate the body length against the advertised
* Content-Length (see wolfCLU_HttpServerParseRequest).
*/
int wolfCLU_HttpServerRecv(SOCKET_T clientfd, byte* buffer, int bufferSz)
{
Expand Down Expand Up @@ -285,11 +290,14 @@ int wolfCLU_HttpServerRecv(SOCKET_T clientfd, byte* buffer, int bufferSz)
contentLen = XATOI(cl + 15);
if (contentLen < 0)
contentLen = 0;
/* Clamp to the space the buffer can hold */
if (contentLen > bufferSz - 1 - headerSz)
contentLen = bufferSz - 1 - headerSz;
}
}
}
/* Check if we have the full body */
if (headerSz > 0 && totalLen >= headerSz + contentLen)
/* Check for the full body. */
if (headerSz > 0 && totalLen - headerSz >= contentLen)
break;
}
return totalLen;
Expand Down
Loading