[tcp] fixed potential buffer overflow due to insane large Content-Len values

Check and limit the Content-Lenght to the size of the reading buffer, makes no sense to accept anything higher.

Author: bogdan-iancu

modules/janus/ws_handshake_common.h

@@ -1164,6 +1164,13 @@ static int janus_ws_read_http(janus_connection *c, struct tcp_req *r)
 					case '8':
 					case '9':
 						r->content_len=r->content_len*10+(*p-'0');
+						if (r->content_len>=TCP_BUF_SIZE) {
+							LM_ERR("Content-Length value %d bigger than the "
+								"reading buffer\n", r->content_len);
+							r->error = TCP_REQ_BAD_LEN;
+							r->state = H_SKIP;
+							r->content_len = 0;
+						}
 						break;
 					case '\r':
 					case ' ':

modules/proto_ws/ws_handshake_common.h

@@ -1617,6 +1617,13 @@ static int ws_read_http(struct tcp_connection *c, struct tcp_req *r)
 					case '8':
 					case '9':
 						r->content_len=r->content_len*10+(*p-'0');
+						if (r->content_len>=TCP_BUF_SIZE) {
+							LM_ERR("Content-Length value %d bigger than the "
+								"reading buffer\n", r->content_len);
+							r->error = TCP_REQ_BAD_LEN;
+							r->state = H_SKIP;
+							r->content_len = 0;
+						}
 						break;
 					case '\r':
 					case ' ':

net/proto_tcp/tcp_common.h

@@ -295,6 +295,13 @@ inline static void tcp_parse_headers(struct tcp_req *r,
 					case '8':
 					case '9':
 						r->content_len=r->content_len*10+(*p-'0');
+						if (r->content_len>=TCP_BUF_SIZE) {
+							LM_ERR("Content-Length value %d bigger than the "
+								"reading buffer\n", r->content_len);
+							r->error = TCP_REQ_BAD_LEN;
+							r->state = H_SKIP;
+							r->content_len = 0;
+						}
 						break;
 					case '\r':
 					case ' ':