From afe0681c0b26bb64bad55d7e86770f346cfa043e Mon Sep 17 00:00:00 2001
From: Xavier Del Campo Romero <xavi.dcr@tutanota.com>
Date: Mon, 19 Feb 2024 23:00:56 +0100
Subject: Limit maximum multipart/form-data pairs and files

A malicious user could inject an infinite number of empty files or
key/value pairs into a request in order to exhaust the device's
resources.
---
 http.c | 18 +++++++++++++++++-
 1 file changed, 17 insertions(+), 1 deletion(-)

(limited to 'http.c')

diff --git a/http.c b/http.c
index 478541e..19a1b93 100644
--- a/http.c
+++ b/http.c
@@ -1728,7 +1728,16 @@ static int apply_from_file(struct http_ctx *const h, struct form *const f)
 
     m->f = NULL;
 
+    const struct http_cfg_post *const cfg = &h->cfg.post;
     const size_t n = m->nfiles + 1;
+
+    if (n > cfg->max_files)
+    {
+        fprintf(stderr, "%s: exceeded maximum number of files (%zu)\n",
+            __func__, cfg->max_files);
+        return 1;
+    }
+
     struct http_post_file *const files = realloc(m->files,
         n * sizeof *m->files);
 
@@ -1777,10 +1786,17 @@ static int apply_from_mem(struct http_ctx *const h, struct form *const f)
     if (name_exists(m, f))
         return 1;
 
+    const struct http_cfg_post *const cfg = &h->cfg.post;
     struct http_post_pair *pairs, *p;
     const size_t n = m->npairs + 1;
 
-    if (!(f->value = strndup(h->line, m->written)))
+    if (n > cfg->max_pairs)
+    {
+        fprintf(stderr, "%s: exceeded maximum number of pairs (%zu)\n",
+            __func__, cfg->max_pairs);
+        return 1;
+    }
+    else if (!(f->value = strndup(h->line, m->written)))
     {
         fprintf(stderr, "%s: strndup(3): %s\n", __func__, strerror(errno));
         return -1;
-- 
cgit v1.2.3