Fix CWE-190 - DoS could happen with a specially crafted boundary parameter in a multipart request

mathieucarbou · mathieucarbou · commit 658afa6ecc9f · 2026-06-07T13:11:20.000+02:00
diff --git a/src/ESPAsyncWebServer.h b/src/ESPAsyncWebServer.h
@@ -465,7 +465,7 @@ class AsyncWebServerRequest {
   std::unordered_map<const char *, String, std::hash<const char *>, std::equal_to<const char *>> _attributes;
 
   uint8_t _multiParseState;
-  uint8_t _boundaryPosition;
+  size_t _boundaryPosition;
   size_t _itemStartIndex;
   size_t _itemSize;
   String _itemName;
diff --git a/src/WebRequest.cpp b/src/WebRequest.cpp
@@ -474,8 +474,31 @@ bool AsyncWebServerRequest::_parseReqHeader() {
     } else if (name.equalsIgnoreCase(T_Content_Type)) {
       _contentType = value.substring(0, value.indexOf(';'));
       if (value.startsWith(T_MULTIPART_)) {
-        _boundary = value.substring(value.indexOf('=') + 1);
+        String lowcase(value);
+        lowcase.toLowerCase();
+        int bpos = lowcase.indexOf(T_BOUNDARY);
+        if (bpos < 0) {
+          async_ws_log_d("Missing multipart boundary parameter, aborting");
+          _parseState = PARSE_REQ_FAIL;
+          abort();
+          return true;
+        }
+
+        _boundary = value.substring(bpos + T_BOUNDARY_LEN);
+        int semi = _boundary.indexOf(';');
+        if (semi >= 0) {
+          _boundary = _boundary.substring(0, semi);
+        }
+        _boundary.trim();
         _boundary.replace(String('"'), String());
+        // RFC 2046 §5.1 limits boundary strings to 70 characters.
+        // Reject invalid boundaries to prevent integer overflow in the parser.
+        if (_boundary.length() == 0 || _boundary.length() > 70) {
+          async_ws_log_d("Invalid multipart boundary length (%u), aborting", _boundary.length());
+          _parseState = PARSE_REQ_FAIL;
+          abort();
+          return true;
+        }
         _isMultipart = true;
       }
     } else if (name.equalsIgnoreCase(T_Content_Length) || name.equalsIgnoreCase(T_X_Expected_Entity_Length)) {
@@ -743,8 +766,7 @@ void AsyncWebServerRequest::_parseMultipartPostByte(uint8_t data, bool last) {
       itemWriteByte('\n');
       itemWriteByte('-');
       itemWriteByte('-');
-      uint8_t i;
-      for (i = 0; i < _boundaryPosition; i++) {
+      for (size_t i = 0; i < _boundaryPosition; i++) {
         itemWriteByte(_boundary.c_str()[i]);
       }
       _parseMultipartPostByte(data, last);
diff --git a/src/literals.h b/src/literals.h
@@ -108,6 +108,8 @@ static constexpr const char T_username[] = "username";
 static constexpr const char T_WS[] = "websocket";
 static constexpr const char T_WWW_AUTH[] = "WWW-Authenticate";
 static constexpr const char T_X_Expected_Entity_Length[] = "X-Expected-Entity-Length";
+static constexpr const char T_BOUNDARY[] = "boundary=";
+static constexpr size_t T_BOUNDARY_LEN = sizeof(T_BOUNDARY) - 1;
 
 // HTTP Methods
 static constexpr const char T_GET[] = "GET";
