commit 1e43edd529d3d7be89b4fedb7735a41e4e5ea725 parent ff26d02aa0419548049429b472f399c3eb78bec7 Author: Evgeny Grin (Karlson2k) <k2k@narod.ru> Date: Sun, 1 Mar 2026 00:23:07 +0100 Request chunk processing: reject bare CR in chunk extension Diffstat:
| M | src/microhttpd/connection.c | | | 27 | ++++++++++++++++++++------- |
1 file changed, 20 insertions(+), 7 deletions(-)
diff --git a/src/microhttpd/connection.c b/src/microhttpd/connection.c @@ -4583,7 +4583,7 @@ process_request_body (struct MHD_Connection *connection) (allow_bws && ((' ' == buffer_head[num_dig]) || ('\t' == buffer_head[num_dig])))) - { /* Chunk extension */ + { /* Chunk extension or "bad whitespace" after chunk length */ size_t i; /* Skip bad whitespaces (if any) */ @@ -4596,20 +4596,32 @@ process_request_body (struct MHD_Connection *connection) break; /* need more data */ if (';' == buffer_head[i]) { + /* Chunk extension */ for (++i; i < available; ++i) { - if ('\n' == buffer_head[i]) + if (('\r' == buffer_head[i]) || + ('\n' == buffer_head[i])) break; } if (i == available) break; /* need more data */ mhd_assert (i > num_dig); mhd_assert (1 <= i); - /* Found LF position */ - if (bare_lf_as_crlf) - chunk_size_line_len = i; /* Don't care about CR before LF */ - else if ('\r' == buffer_head[i - 1]) - chunk_size_line_len = i; + if ('\r' == buffer_head[i]) + { + if (i + 1 == available) + break; /* need more data */ + if ('\n' == buffer_head[i + 1]) + chunk_size_line_len = i; /* Valid chunk header */ + } + else + { + mhd_assert ('\n' == buffer_head[i]); + if (bare_lf_as_crlf) + chunk_size_line_len = i; /* Valid chunk header */ + } + /* The chunk header is broken + if chunk_size_line_len is zero here. */ } else { /* No ';' after "bad whitespace" */ @@ -4619,6 +4631,7 @@ process_request_body (struct MHD_Connection *connection) } else { + /* No chunk extension */ mhd_assert (available >= num_dig); if ((2 <= (available - num_dig)) && ('\r' == buffer_head[num_dig]) &&