Fix CWE-190: integer overflow in multipart boundary parser (DoS)

mathieucarbou · Copilot · mathieucarbou · commit 6d590d7f9261 · 2026-06-07T15:59:08.000+02:00
_boundaryPosition was declared as uint8_t. A remote attacker could send a
Content-Type header with a boundary string of exactly 256 bytes, causing the
increment in _parseMultipartPostByte() to overflow back to 0. The parser
would then loop indefinitely in the BOUNDARY_OR_DATA state, consuming 100%
CPU and triggering the FreeRTOS watchdog on ESP32/ESP8266.

Fixes:
- ESPAsyncWebServer.h: change _boundaryPosition from uint8_t to size_t,
  eliminating the overflow entirely.
- WebRequest.cpp (_parseMultipartPostByte): change the rewind loop variable
  from uint8_t to size_t for consistency.
- WebRequest.cpp (_parseReqHeader): validate the boundary value extracted
  from the Content-Type header before any body parsing begins:
    * Require the 'boundary=' token to be a proper RFC 2045 parameter
      (immediately preceded by ';'), preventing substring false-matches.
    * Strip optional surrounding whitespace, quotes and trailing parameters
      (RFC 2046 quoted-string form).
    * Reject boundaries that are empty or longer than 70 characters
      (RFC 2046 §5.1 hard limit); drop the connection immediately with
      PARSE_REQ_FAIL + abort() instead of continuing.

Fix CWE-190: properly parse RFC 2046 quoted-string boundary values

The previous code stripped all double-quote characters from the boundary
string using a blanket replace(), which would silently corrupt boundary
values that contain escaped quotes (\") and could leave a trailing
semi-colon if the quoted string was followed by another parameter.

Replace with a proper RFC 2045/2046 quoted-string parser:
- Token form  (no leading quote): trim and stop at the next ';'.
- Quoted-string form (leading '"'): scan forward for the closing quote,
  skipping backslash-escaped quotes (\") along the way; extract the
  content between the outer quotes.  Reject unterminated quoted strings
  (missing closing quote) immediately with PARSE_REQ_FAIL + abort().

This was reviewed and proposed by GitHub Copilot Autofix.

Potential fix for pull request finding

Co-authored-by: Copilot Autofix powered by AI &lt;175728472+Copilot@users.noreply.github.com&gt;
diff --git a/src/ESPAsyncWebServer.h b/src/ESPAsyncWebServer.h
@@ -465,7 +465,9 @@ class AsyncWebServerRequest {
   std::unordered_map<const char *, String, std::hash<const char *>, std::equal_to<const char *>> _attributes;
 
   uint8_t _multiParseState;
-  uint8_t _boundaryPosition;
+  // CWE-190 fix: was uint8_t, which would overflow to 0 for boundaries >= 256
+  // bytes and cause the BOUNDARY_OR_DATA parser loop to never terminate (DoS).
+  size_t _boundaryPosition;
   size_t _itemStartIndex;
   size_t _itemSize;
   String _itemName;
diff --git a/src/WebRequest.cpp b/src/WebRequest.cpp
@@ -473,9 +473,139 @@ bool AsyncWebServerRequest::_parseReqHeader() {
       _host = value;
     } else if (name.equalsIgnoreCase(T_Content_Type)) {
       _contentType = value.substring(0, value.indexOf(';'));
-      if (value.startsWith(T_MULTIPART_)) {
-        _boundary = value.substring(value.indexOf('=') + 1);
-        _boundary.replace(String('"'), String());
+      // AsyncWebHeader::parse skips only a single space after the colon, so
+      // extra leading whitespace (e.g. two spaces or a tab) would survive into
+      // value.  Trim _contentType so callers always receive a clean value.
+      _contentType.trim();
+      // Media types are case-insensitive (RFC 2045 §5.1), so lowercase the
+      // entire header value once and reuse it for all subsequent searches.
+      // Header values are stored as-is from the raw request; they are never
+      // normalized to lowercase by the header parser.
+      String lowcase(value);
+      lowcase.toLowerCase();
+      // Strip any leading whitespace from the lowercased copy so that
+      // startsWith(T_MULTIPART_) works even when AsyncWebHeader::parse left
+      // more than one space after the colon.  Track the offset so that
+      // absolute positions found in lowcase can be mapped back into value
+      // (which retains its original case for case-sensitive boundary extraction).
+      int valueOffset = 0;
+      while (valueOffset < (int)lowcase.length() && (lowcase.charAt(valueOffset) == ' ' || lowcase.charAt(valueOffset) == '\t')) {
+        valueOffset++;
+      }
+      if (valueOffset > 0) {
+        lowcase = lowcase.substring(valueOffset);
+      }
+      if (lowcase.startsWith(T_MULTIPART_)) {
+        // Case-insensitive search for the boundary parameter.
+        // A simple indexOf("boundary=") would incorrectly match a token whose
+        // name merely ends in "boundary=" (e.g. "x-boundary=").  We require
+        // the match to be immediately preceded by a ';' (with optional
+        // whitespace) to ensure it is a proper RFC 2045 parameter.
+
+        int bpos = -1;
+        int searchFrom = 0;
+        while (true) {
+          int pos = lowcase.indexOf(T_BOUNDARY, searchFrom);
+          if (pos < 0) {
+            break;
+          }
+
+          // Only match a real parameter (must be preceded by ';' with optional whitespace)
+          int p = pos - 1;
+          while (p >= 0 && (lowcase.charAt(p) == ' ' || lowcase.charAt(p) == '\t')) {
+            p--;
+          }
+          if (p >= 0 && lowcase.charAt(p) == ';') {
+            bpos = pos;
+            break;
+          }
+
+          searchFrom = pos + 1;
+        }
+
+        if (bpos < 0) {
+          // No valid boundary parameter found — cannot parse multipart body.
+          async_ws_log_d("Missing multipart boundary parameter, aborting");
+          _parseState = PARSE_REQ_FAIL;
+          abort();
+          return true;
+        }
+
+        // Extract the boundary value that follows "boundary=" and strip leading/
+        // trailing whitespace.  The value may be either a token or a
+        // quoted-string (RFC 2045 §5.1 / RFC 2046 §5.1).
+        // bpos is relative to the trimmed lowcase, so add valueOffset to map
+        // back to the original (case-preserving) value string.
+        _boundary = value.substring(valueOffset + bpos + (int)T_BOUNDARY_LEN);
+        _boundary.trim();
+
+        if (_boundary.startsWith("\"")) {
+          // Quoted-string form: scan forward from position 1 for the closing
+          // double-quote.  A quote is escaped only when preceded by an ODD
+          // number of consecutive backslashes (e.g. \" is escaped, \\" is not
+          // because the two backslashes escape each other, leaving the quote
+          // unescaped).  Checking only the immediately preceding character
+          // would mishandle the \\" case.
+          int endQuote = 1;
+          while (true) {
+            endQuote = _boundary.indexOf('"', endQuote);
+            if (endQuote < 0) {
+              break;  // string ran out — unterminated quote
+            }
+            // Count consecutive backslashes immediately before this quote.
+            int backslashes = 0;
+            while (endQuote - 1 - backslashes >= 0 && _boundary.charAt(endQuote - 1 - backslashes) == '\\') {
+              backslashes++;
+            }
+            if (backslashes % 2 == 0) {
+              break;  // even number of backslashes → quote is real closing quote
+            }
+            endQuote++;  // odd number → quote is escaped, keep scanning
+          }
+          if (endQuote < 0) {
+            // Opening quote was never closed — malformed header.
+            async_ws_log_d("Invalid multipart boundary (unterminated quote), aborting");
+            _parseState = PARSE_REQ_FAIL;
+            abort();
+            return true;
+          }
+          // Strip the surrounding quotes; content between them is the boundary.
+          _boundary = _boundary.substring(1, endQuote);
+
+          // Unescape quoted-pair sequences so the boundary matches the actual bytes on the wire.
+          String unescaped;
+          unescaped.reserve(_boundary.length());
+          for (size_t i = 0; i < _boundary.length(); ++i) {
+            char c = _boundary.charAt(i);
+            if (c == '\\' && (i + 1) < _boundary.length()) {
+              c = _boundary.charAt(++i);
+            }
+            unescaped += c;
+          }
+          _boundary = unescaped;
+        } else {
+          // Token form: the value ends at the next ';' (start of the next
+          // parameter) or at the end of the header field.
+          int semi = _boundary.indexOf(';');
+          if (semi >= 0) {
+            _boundary = _boundary.substring(0, semi);
+          }
+          _boundary.trim();
+        }
+
+        // CWE-190 / DoS fix: RFC 2046 §5.1 limits boundary strings to 70
+        // characters.  _boundaryPosition was formerly uint8_t, so a boundary
+        // of exactly 256 bytes would overflow the counter to 0, preventing the
+        // BOUNDARY_OR_DATA loop from ever reaching the end of the boundary and
+        // causing unbounded CPU consumption (watchdog reset on ESP32/ESP8266).
+        // Reject boundaries outside the valid range before any parsing begins.
+        if (_boundary.length() == 0 || _boundary.length() > 70) {
+          async_ws_log_d("Invalid multipart boundary length (%u), aborting", _boundary.length());
+          _parseState = PARSE_REQ_FAIL;
+          abort();
+          return true;
+        }
+
         _isMultipart = true;
       }
     } else if (name.equalsIgnoreCase(T_Content_Length) || name.equalsIgnoreCase(T_X_Expected_Entity_Length)) {
@@ -628,6 +758,11 @@ void AsyncWebServerRequest::_parseMultipartPostByte(uint8_t data, bool last) {
       _multiParseState = EXPECT_FEED1;
     }
   } else if (_multiParseState == EXPECT_BOUNDARY) {
+    // Note: when _parsedLength < 2, the subtractions below (_parsedLength - 2
+    // and _parsedLength - 3) wrap around to very large size_t values.  This is
+    // intentional: the wrapped values are always greater than _boundary.length()
+    // (which is at most 70), so those comparisons evaluate to false and the
+    // first two bytes (the '--' prefix) are consumed without error.
     if (_parsedLength < 2 && data != '-') {
       _multiParseState = PARSE_ERROR;
       return;
@@ -743,8 +878,9 @@ void AsyncWebServerRequest::_parseMultipartPostByte(uint8_t data, bool last) {
       itemWriteByte('\n');
       itemWriteByte('-');
       itemWriteByte('-');
-      uint8_t i;
-      for (i = 0; i < _boundaryPosition; i++) {
+      // CWE-190 fix: loop variable was uint8_t, matching the old type of
+      // _boundaryPosition.  Changed to size_t for consistency.
+      for (size_t i = 0; i < _boundaryPosition; i++) {
         itemWriteByte(_boundary.c_str()[i]);
       }
       _parseMultipartPostByte(data, last);
@@ -784,8 +920,7 @@ void AsyncWebServerRequest::_parseMultipartPostByte(uint8_t data, bool last) {
       itemWriteByte('\n');
       itemWriteByte('-');
       itemWriteByte('-');
-      uint8_t i;
-      for (i = 0; i < _boundary.length(); i++) {
+      for (size_t i = 0; i < _boundary.length(); i++) {
         itemWriteByte(_boundary.c_str()[i]);
       }
       _parseMultipartPostByte(data, last);
@@ -800,8 +935,7 @@ void AsyncWebServerRequest::_parseMultipartPostByte(uint8_t data, bool last) {
       itemWriteByte('\n');
       itemWriteByte('-');
       itemWriteByte('-');
-      uint8_t i;
-      for (i = 0; i < _boundary.length(); i++) {
+      for (size_t i = 0; i < _boundary.length(); i++) {
         itemWriteByte(_boundary.c_str()[i]);
       }
       itemWriteByte('\r');
diff --git a/src/literals.h b/src/literals.h
@@ -108,6 +108,8 @@ static constexpr const char T_username[] = "username";
 static constexpr const char T_WS[] = "websocket";
 static constexpr const char T_WWW_AUTH[] = "WWW-Authenticate";
 static constexpr const char T_X_Expected_Entity_Length[] = "X-Expected-Entity-Length";
+static constexpr const char T_BOUNDARY[] = "boundary=";
+static constexpr size_t T_BOUNDARY_LEN = sizeof(T_BOUNDARY) - 1;
 
 // HTTP Methods
 static constexpr const char T_GET[] = "GET";
