Fix stack overflow in HTTP protocol handling (CVE-2017-13089)

* src/http.c (skip_short_body): Return error on negative chunk size Reported-by: Antti Levomäki, Christian Jalio, Joonas Pihlaja from Forcepoint Reported-by: Juhani Eronen from Finnish National Cyber Security Centre
author: Tim Rühsen <tim.ruehsen@gmx.de> 2017-10-20 10:59:38 +0200
committer: Tim Rühsen <tim.ruehsen@gmx.de> 2017-10-26 17:29:38 +0200
commit: d892291fb8ace4c3b734ea5125770989c215df3f (patch)
tree: c572afb4279023c1caba5392cc2315021a64af35
parent: bec4c215a8cbaa1ddec71180f328abfcce81ee40 (diff)
download: wget-d892291fb8ace4c3b734ea5125770989c215df3f.tar.gz
1 files changed, 3 insertions, 0 deletions
diff --git a/src/http.c b/src/http.c
index 5536768..dc31823 100644
--- a/src/http.c
+++ b/src/http.c
@@ -973,6 +973,9 @@ skip_short_body (int fd, wgint contlen, bool chunked)
               remaining_chunk_size = strtol (line, &endl, 16);
               xfree (line);
 
+              if (remaining_chunk_size < 0)
+                return false;
+
               if (remaining_chunk_size == 0)
                 {
                   line = fd_read_line (fd);
author	Tim Rühsen <tim.ruehsen@gmx.de>	2017-10-20 10:59:38 +0200
committer	Tim Rühsen <tim.ruehsen@gmx.de>	2017-10-26 17:29:38 +0200
commit	d892291fb8ace4c3b734ea5125770989c215df3f (patch)
tree	c572afb4279023c1caba5392cc2315021a64af35
parent	bec4c215a8cbaa1ddec71180f328abfcce81ee40 (diff)
download	wget-d892291fb8ace4c3b734ea5125770989c215df3f.tar.gz