Limit maximum multipart/form-data pairs and files

A malicious user could inject an infinite number of empty files or
key/value pairs into a request in order to exhaust the device's
resources.

1 files changed, 17 insertions, 1 deletions

diff --git a/http.c b/http.c
index 478541e..19a1b93 100644
--- a/http.c
+++ b/http.c
@@ -1728,7 +1728,16 @@ static int apply_from_file(struct http_ctx *const h, struct form *const f)
 
     m->f = NULL;
 
+    const struct http_cfg_post *const cfg = &h->cfg.post;
     const size_t n = m->nfiles + 1;
+
+    if (n > cfg->max_files)
+    {
+        fprintf(stderr, "%s: exceeded maximum number of files (%zu)\n",
+            __func__, cfg->max_files);
+        return 1;
+    }
+
     struct http_post_file *const files = realloc(m->files,
         n * sizeof *m->files);
 
@@ -1777,10 +1786,17 @@ static int apply_from_mem(struct http_ctx *const h, struct form *const f)
     if (name_exists(m, f))
         return 1;
 
+    const struct http_cfg_post *const cfg = &h->cfg.post;
     struct http_post_pair *pairs, *p;
     const size_t n = m->npairs + 1;
 
-    if (!(f->value = strndup(h->line, m->written)))
+    if (n > cfg->max_pairs)
+    {
+        fprintf(stderr, "%s: exceeded maximum number of pairs (%zu)\n",
+            __func__, cfg->max_pairs);
+        return 1;
+    }
+    else if (!(f->value = strndup(h->line, m->written)))
     {
         fprintf(stderr, "%s: strndup(3): %s\n", __func__, strerror(errno));
         return -1;