http_client: reject invalid chunked size lines

edsiper · edsiper · commit bd507b393c5b · 2026-04-09T11:34:34.000-06:00
Signed-off-by: Eduardo Silva &lt;eduardo@chronosphere.io&gt;
diff --git a/src/flb_http_client.c b/src/flb_http_client.c
@@ -377,6 +377,8 @@ static int chunked_data_size(char *buf, size_t length,
 {
     char   *cursor;
     char   *line_end;
+    int     extension_started;
+    size_t  digit;
     size_t  digit_count;
     size_t  line_length;
     size_t  total_size;
@@ -400,22 +402,28 @@ static int chunked_data_size(char *buf, size_t length,
 
     errno = 0;
     digit_count = 0;
+    extension_started = FLB_FALSE;
     value = 0;
 
     while (digit_count < line_length) {
         if (*cursor >= '0' && *cursor <= '9') {
-            value = (value * 16) + (*cursor - '0');
+            digit = *cursor - '0';
         }
         else if (*cursor >= 'a' && *cursor <= 'f') {
-            value = (value * 16) + (*cursor - 'a') + 10;
+            digit = (*cursor - 'a') + 10;
         }
         else if (*cursor >= 'A' && *cursor <= 'F') {
-            value = (value * 16) + (*cursor - 'A') + 10;
+            digit = (*cursor - 'A') + 10;
         }
         else {
             break;
         }
 
+        if (value > ((SIZE_MAX - digit) / 16)) {
+            return FLB_HTTP_ERROR;
+        }
+
+        value = (value * 16) + digit;
         digit_count++;
         cursor++;
     }
@@ -432,10 +440,23 @@ static int chunked_data_size(char *buf, size_t length,
     if (digit_count < line_length && *cursor == ';') {
         cursor++;
         digit_count++;
+        extension_started = FLB_TRUE;
     }
 
     while (digit_count < line_length) {
-        if (*cursor == '\0') {
+        if (extension_started == FLB_FALSE) {
+            if (*cursor != ' ' && *cursor != '\t') {
+                return FLB_HTTP_ERROR;
+            }
+        }
+        else if (*cursor != ' ' && *cursor != '\t' && *cursor != ';' &&
+                 *cursor != '=' && *cursor != '"' && *cursor != '\\' &&
+                 *cursor != '/' && *cursor != ',' && *cursor != '_' &&
+                 *cursor != '-' && *cursor != '.' && *cursor != ':' &&
+                 *cursor != '(' && *cursor != ')' &&
+                 !(*cursor >= '0' && *cursor <= '9') &&
+                 !(*cursor >= 'a' && *cursor <= 'z') &&
+                 !(*cursor >= 'A' && *cursor <= 'Z')) {
             return FLB_HTTP_ERROR;
         }
 
@@ -449,12 +470,20 @@ static int chunked_data_size(char *buf, size_t length,
         return FLB_HTTP_OK;
     }
 
+    if (value > (SIZE_MAX - total_size - 2)) {
+        return FLB_HTTP_ERROR;
+    }
+
     total_size += value + 2;
 
     if (length < total_size) {
         return FLB_HTTP_MORE;
     }
 
+    if (value > (length - ((line_end + 2) - buf) - 2)) {
+        return FLB_HTTP_MORE;
+    }
+
     if (line_end[2 + value] != '\r' || line_end[3 + value] != '\n') {
         return FLB_HTTP_ERROR;
     }
