Skip to content

Negative Content-Length Leads to abort()

In lib/isc/httpd.c in process_request() a HTTP request is parsed and the "Content-Length" field evaluated. If that field is negative or big enough, the addition to httpd->consume might overflow and trigger an INSIST(httpd->consume != 0) assertion in prepare_response().

ssize_t content_len = 0;
bool keep_alive = false;

isc_time_set(&httpd->if_modified_since, 0, 0);

for (size_t i = 0; i < num_headers; i++) {
        struct phr_header *header = &headers[i];

        if (name_match(header, "Content-Length")) {
                char *endptr;
                content_len = (size_t)strtoul(header->value, &endptr,
                                              10);
                /* Consistency check, if we consumed all numbers */
                if ((header->value + header->value_len) != endptr) {
                        return (ISC_R_RANGE);
                }
...
/* Consume the request's data, which we do not use. */
httpd->consume += content_len;
...
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information