Fix CWE-190 - DoS could happen with a specially crafted boundary parameter in a multipart request

Author: mathieucarbou

src/ESPAsyncWebServer.h

@@ -465,7 +465,7 @@ class AsyncWebServerRequest {
   std::unordered_map<const char *, String, std::hash<const char *>, std::equal_to<const char *>> _attributes;
 
   uint8_t _multiParseState;
-  uint8_t _boundaryPosition;
+  size_t _boundaryPosition;
   size_t _itemStartIndex;
   size_t _itemSize;
   String _itemName;

src/WebRequest.cpp

@@ -474,8 +474,50 @@ bool AsyncWebServerRequest::_parseReqHeader() {
     } else if (name.equalsIgnoreCase(T_Content_Type)) {
       _contentType = value.substring(0, value.indexOf(';'));
       if (value.startsWith(T_MULTIPART_)) {
-        _boundary = value.substring(value.indexOf('=') + 1);
+        String lowcase(value);
+        lowcase.toLowerCase();
+
+        int bpos = -1;
+        int searchFrom = 0;
+        while (true) {
+          int pos = lowcase.indexOf(T_BOUNDARY, searchFrom);
+          if (pos < 0) {
+            break;
+          }
+
+          // Only match a real parameter (must be preceded by ';' with optional whitespace)
+          int p = pos - 1;
+          while (p >= 0 && (lowcase.charAt(p) == ' ' || lowcase.charAt(p) == '\t')) {
+            p--;
+          }
+          if (p >= 0 && lowcase.charAt(p) == ';') {
+            bpos = pos;
+            break;
+          }
+
+          searchFrom = pos + 1;
+        }
+        if (bpos < 0) {
+          async_ws_log_d("Missing multipart boundary parameter, aborting");
+          _parseState = PARSE_REQ_FAIL;
+          abort();
+          return true;
+        }
+        _boundary = value.substring(bpos + (int)T_BOUNDARY_LEN);
+        int semi = _boundary.indexOf(';');
+        if (semi >= 0) {
+          _boundary = _boundary.substring(0, semi);
+        }
+        _boundary.trim();
         _boundary.replace(String('"'), String());
+        // RFC 2046 §5.1 limits boundary strings to 70 characters.
+        // Reject invalid boundaries to prevent integer overflow in the parser.
+        if (_boundary.length() == 0 || _boundary.length() > 70) {
+          async_ws_log_d("Invalid multipart boundary length (%u), aborting", _boundary.length());
+          _parseState = PARSE_REQ_FAIL;
+          abort();
+          return true;
+        }
         _isMultipart = true;
       }
     } else if (name.equalsIgnoreCase(T_Content_Length) || name.equalsIgnoreCase(T_X_Expected_Entity_Length)) {
@@ -743,8 +785,7 @@ void AsyncWebServerRequest::_parseMultipartPostByte(uint8_t data, bool last) {
       itemWriteByte('\n');
       itemWriteByte('-');
       itemWriteByte('-');
-      uint8_t i;
-      for (i = 0; i < _boundaryPosition; i++) {
+      for (size_t i = 0; i < _boundaryPosition; i++) {
         itemWriteByte(_boundary.c_str()[i]);
       }
       _parseMultipartPostByte(data, last);

src/literals.h

@@ -108,6 +108,8 @@ static constexpr const char T_username[] = "username";
 static constexpr const char T_WS[] = "websocket";
 static constexpr const char T_WWW_AUTH[] = "WWW-Authenticate";
 static constexpr const char T_X_Expected_Entity_Length[] = "X-Expected-Entity-Length";
+static constexpr const char T_BOUNDARY[] = "boundary=";
+static constexpr size_t T_BOUNDARY_LEN = sizeof(T_BOUNDARY) - 1;
 
 // HTTP Methods
 static constexpr const char T_GET[] = "GET";