Fix CWE-190: integer overflow in multipart boundary parser (DoS)

_boundaryPosition was declared as uint8_t. A remote attacker could send a
Content-Type header with a boundary string of exactly 256 bytes, causing the
increment in _parseMultipartPostByte() to overflow back to 0. The parser
would then loop indefinitely in the BOUNDARY_OR_DATA state, consuming 100%
CPU and triggering the FreeRTOS watchdog on ESP32/ESP8266.

Fixes:
- ESPAsyncWebServer.h: change _boundaryPosition from uint8_t to size_t,
  eliminating the overflow entirely.
- WebRequest.cpp (_parseMultipartPostByte): change the rewind loop variable
  from uint8_t to size_t for consistency.
- WebRequest.cpp (_parseReqHeader): validate the boundary value extracted
  from the Content-Type header before any body parsing begins:
    * Require the 'boundary=' token to be a proper RFC 2045 parameter
      (immediately preceded by ';'), preventing substring false-matches.
    * Strip optional surrounding whitespace, quotes and trailing parameters
      (RFC 2046 quoted-string form).
    * Reject boundaries that are empty or longer than 70 characters
      (RFC 2046 §5.1 hard limit); drop the connection immediately with
      PARSE_REQ_FAIL + abort() instead of continuing.

Author: mathieucarbou

src/ESPAsyncWebServer.h

@@ -465,7 +465,9 @@ class AsyncWebServerRequest {
   std::unordered_map<const char *, String, std::hash<const char *>, std::equal_to<const char *>> _attributes;
 
   uint8_t _multiParseState;
-  uint8_t _boundaryPosition;
+  // CWE-190 fix: was uint8_t, which would overflow to 0 for boundaries >= 256
+  // bytes and cause the BOUNDARY_OR_DATA parser loop to never terminate (DoS).
+  size_t _boundaryPosition;
   size_t _itemStartIndex;
   size_t _itemSize;
   String _itemName;

src/WebRequest.cpp

@@ -474,8 +474,67 @@ bool AsyncWebServerRequest::_parseReqHeader() {
     } else if (name.equalsIgnoreCase(T_Content_Type)) {
       _contentType = value.substring(0, value.indexOf(';'));
       if (value.startsWith(T_MULTIPART_)) {
-        _boundary = value.substring(value.indexOf('=') + 1);
+        // Case-insensitive search for the boundary parameter.
+        // A simple indexOf("boundary=") would incorrectly match a token whose
+        // name merely ends in "boundary=" (e.g. "x-boundary=").  We require
+        // the match to be immediately preceded by a ';' (with optional
+        // whitespace) to ensure it is a proper RFC 2045 parameter.
+        String lowcase(value);
+        lowcase.toLowerCase();
+
+        int bpos = -1;
+        int searchFrom = 0;
+        while (true) {
+          int pos = lowcase.indexOf(T_BOUNDARY, searchFrom);
+          if (pos < 0) {
+            break;
+          }
+
+          // Only match a real parameter (must be preceded by ';' with optional whitespace)
+          int p = pos - 1;
+          while (p >= 0 && (lowcase.charAt(p) == ' ' || lowcase.charAt(p) == '\t')) {
+            p--;
+          }
+          if (p >= 0 && lowcase.charAt(p) == ';') {
+            bpos = pos;
+            break;
+          }
+
+          searchFrom = pos + 1;
+        }
+
+        if (bpos < 0) {
+          // No valid boundary parameter found — cannot parse multipart body.
+          async_ws_log_d("Missing multipart boundary parameter, aborting");
+          _parseState = PARSE_REQ_FAIL;
+          abort();
+          return true;
+        }
+
+        // Extract the boundary value; strip any following parameters, optional
+        // surrounding whitespace and quotes (RFC 2046 allows quoted-string).
+        _boundary = value.substring(bpos + (int)T_BOUNDARY_LEN);
+        int semi = _boundary.indexOf(';');
+        if (semi >= 0) {
+          _boundary = _boundary.substring(0, semi);
+        }
+
+        _boundary.trim();
         _boundary.replace(String('"'), String());
+
+        // CWE-190 / DoS fix: RFC 2046 §5.1 limits boundary strings to 70
+        // characters.  _boundaryPosition was formerly uint8_t, so a boundary
+        // of exactly 256 bytes would overflow the counter to 0, preventing the
+        // BOUNDARY_OR_DATA loop from ever reaching the end of the boundary and
+        // causing unbounded CPU consumption (watchdog reset on ESP32/ESP8266).
+        // Reject boundaries outside the valid range before any parsing begins.
+        if (_boundary.length() == 0 || _boundary.length() > 70) {
+          async_ws_log_d("Invalid multipart boundary length (%u), aborting", _boundary.length());
+          _parseState = PARSE_REQ_FAIL;
+          abort();
+          return true;
+        }
+
         _isMultipart = true;
       }
     } else if (name.equalsIgnoreCase(T_Content_Length) || name.equalsIgnoreCase(T_X_Expected_Entity_Length)) {
@@ -743,8 +802,9 @@ void AsyncWebServerRequest::_parseMultipartPostByte(uint8_t data, bool last) {
       itemWriteByte('\n');
       itemWriteByte('-');
       itemWriteByte('-');
-      uint8_t i;
-      for (i = 0; i < _boundaryPosition; i++) {
+      // CWE-190 fix: loop variable was uint8_t, matching the old type of
+      // _boundaryPosition.  Changed to size_t for consistency.
+      for (size_t i = 0; i < _boundaryPosition; i++) {
         itemWriteByte(_boundary.c_str()[i]);
       }
       _parseMultipartPostByte(data, last);

src/literals.h

@@ -108,6 +108,8 @@ static constexpr const char T_username[] = "username";
 static constexpr const char T_WS[] = "websocket";
 static constexpr const char T_WWW_AUTH[] = "WWW-Authenticate";
 static constexpr const char T_X_Expected_Entity_Length[] = "X-Expected-Entity-Length";
+static constexpr const char T_BOUNDARY[] = "boundary=";
+static constexpr size_t T_BOUNDARY_LEN = sizeof(T_BOUNDARY) - 1;
 
 // HTTP Methods
 static constexpr const char T_GET[] = "GET";