Skip to content

fix: buffer overflow in multipart body proc #3546

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
airween wants to merge 2 commits into
base: v3/master
Choose a base branch
from
+5 −3
Open

fix: buffer overflow in multipart body proc #3546

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
164de0f
fix: buffer overflow in multipart body proc
airween Apr 12, 2026
b9fb213
cast argument as unsigned
airween Apr 12, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 5 additions & 3 deletions src/request_body_processor/multipart.cc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -362,11 +362,11 @@ int Multipart::parse_content_disposition(const char *c_d_value, int offset) {
const char* start_of_filename = p;
while ((*p != '\0') && (*p != ';')) {
if (*p == '%') {
if ((*(p+1) == '\0') || (!isxdigit(*(p+1))) || (!isxdigit(*(p+2)))) {
if ((*(p+1) == '\0') || (!isxdigit(*(p+1))) || (*(p+2) == '\0') || (!isxdigit(static_cast<unsigned char>(*(p+2))))) {
return -18;
}
p += 3;
} else if (isalnum(*p) || strchr(attr_char_special, *p)) {
} else if (isalnum(static_cast<unsigned char>(*p)) || strchr(attr_char_special, *p)) {
p++;
} else {
return -19;
Expand Down Expand Up @@ -415,7 +415,9 @@ int Multipart::parse_content_disposition(const char *c_d_value, int offset) {
value.append((p++), 1);
}

p++; /* go over the quote at the end */
if (*p == quote) {
p++; /* go over the quote at the end */
Copy link

Copilot AI Apr 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If the quoted value runs to the end of the string without a closing quote, this now silently accepts the header and finishes parsing with p at \0. That’s safer than the previous OOB, but it likely violates the expected grammar for quoted parameters and can lead to inconsistent parsing/validation. Consider treating a missing closing quote as an error (e.g., return a specific negative code and/or set m_flag_invalid_quoting) instead of accepting it as valid.

Suggested change
p++; /* go over the quote at the end */
p++; /* go over the quote at the end */
} else {
m_flag_invalid_quoting = 1;
return -15;

Copilot uses AI. Check for mistakes.
}

Comment on lines +418 to 421
Copy link

Copilot AI Apr 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The PR addresses out-of-bounds reads in Content-Disposition parsing; adding regression cases for (1) filename* values ending with an incomplete percent-escape (e.g. trailing %A) and (2) quoted values missing a terminating quote would help ensure this remains fixed (especially under ASAN/UBSAN).

Suggested change
if (*p == quote) {
p++; /* go over the quote at the end */
}
if (*p == '\0') {
/* missing terminating quote */
return -7;
}
p++; /* go over the quote at the end */

Copilot uses AI. Check for mistakes.
} else {
/* not quoted */
Expand Down
Loading