From e3877501044f6ade55aa9ff5afff4534f5d9583d Mon Sep 17 00:00:00 2001
From: Richard Mudgett <rmudgett@digium.com>
Date: Thu, 30 Aug 2018 14:42:06 -0500
Subject: [PATCH] http.c: Give HTTP error response when received lines are too
 long.

Added a check when we receive a HTTP request line or header line that is
too long.  We now return an error response to the sender because we are
not able to process the request.

Change-Id: I6df2705435fd7dde4d5d3bdf7acec859cfb7c12d
---
 main/http.c | 21 +++++++++++++++++++--
 1 file changed, 19 insertions(+), 2 deletions(-)

diff --git a/main/http.c b/main/http.c
index d7ec60a961..5d0b89e0ca 100644
--- a/main/http.c
+++ b/main/http.c
@@ -1740,13 +1740,21 @@ static int http_request_headers_get(struct ast_tcptls_session_instance *ser, str
 
 	remaining_headers = MAX_HTTP_REQUEST_HEADERS;
 	for (;;) {
+		ssize_t len;
 		char *name;
 		char *value;
 
-		if (ast_iostream_gets(ser->stream, header_line, sizeof(header_line)) <= 0) {
+		len = ast_iostream_gets(ser->stream, header_line, sizeof(header_line));
+		if (len <= 0) {
 			ast_http_error(ser, 400, "Bad Request", "Timeout");
 			return -1;
 		}
+		if (header_line[len - 1] != '\n') {
+			/* We didn't get a full line */
+			ast_http_error(ser, 400, "Bad Request",
+				(len == sizeof(header_line) - 1) ? "Header line too long" : "Timeout");
+			return -1;
+		}
 
 		/* Trim trailing characters */
 		ast_trim_blanks(header_line);
@@ -1815,9 +1823,11 @@ static int httpd_process_request(struct ast_tcptls_session_instance *ser)
 	struct http_worker_private_data *request;
 	enum ast_http_method http_method = AST_HTTP_UNKNOWN;
 	int res;
+	ssize_t len;
 	char request_line[MAX_HTTP_LINE_LENGTH];
 
-	if (ast_iostream_gets(ser->stream, request_line, sizeof(request_line)) <= 0) {
+	len = ast_iostream_gets(ser->stream, request_line, sizeof(request_line));
+	if (len <= 0) {
 		return -1;
 	}
 
@@ -1825,6 +1835,13 @@ static int httpd_process_request(struct ast_tcptls_session_instance *ser)
 	request = ser->private_data;
 	http_request_tracking_init(request);
 
+	if (request_line[len - 1] != '\n') {
+		/* We didn't get a full line */
+		ast_http_error(ser, 400, "Bad Request",
+			(len == sizeof(request_line) - 1) ? "Request line too long" : "Timeout");
+		return -1;
+	}
+
 	/* Get method */
 	method = ast_skip_blanks(request_line);
 	uri = ast_skip_nonblanks(method);
-- 
GitLab