Bound buffered HTTP body size

Clamp per-chunk and aggregated HTTP response sizes before allocating in wolfIO_HttpProcessResponseBuf so untrusted Content-Length or chunk headers can’t overflow the arithmetic or force giant buffers.
2026-01-26 21:22:19 +01:00 · 2025-10-21 14:13:41 +01:00
parent be1428d108
commit 259670055a
1 changed files with 23 additions and 1 deletions
--- a/src/wolfio.c
+++ b/src/wolfio.c
@@ -1670,12 +1670,17 @@ int wolfIO_DecodeUrl(const char* url, int urlSz, char* outName, char* outPath,
    return result;
 }

+#ifndef WOLFIO_HTTP_MAX_BODY
+/* Upper bound on an HTTP body that will be buffered in memory. */
+#define WOLFIO_HTTP_MAX_BODY (32 * 1024 * 1024)
+#endif
+
 static int wolfIO_HttpProcessResponseBuf(WolfSSLGenericIORecvCb ioCb,
    void* ioCbCtx, byte **recvBuf, int* recvBufSz, int chunkSz, char* start,
    int len, int dynType, void* heap)
 {
    byte* newRecvBuf = NULL;
-    int newRecvSz = *recvBufSz + chunkSz;
+    int newRecvSz;
    int pos = 0;

    WOLFSSL_MSG("Processing HTTP response");
@@ -1691,6 +1696,23 @@ static int wolfIO_HttpProcessResponseBuf(WolfSSLGenericIORecvCb ioCb,
        return MEMORY_E;
    }

+    if (chunkSz > WOLFIO_HTTP_MAX_BODY) {
+        WOLFSSL_MSG("wolfIO_HttpProcessResponseBuf chunk too large");
+        return BUFFER_ERROR;
+    }
+
+    if (*recvBufSz < 0 || *recvBufSz > WOLFIO_HTTP_MAX_BODY - chunkSz) {
+        WOLFSSL_MSG("wolfIO_HttpProcessResponseBuf aggregate body too large");
+        return BUFFER_ERROR;
+    }
+
+    if (len > chunkSz) {
+        WOLFSSL_MSG("wolfIO_HttpProcessResponseBuf len exceeds chunk size");
+        return WOLFSSL_FATAL_ERROR;
+    }
+
+    newRecvSz = *recvBufSz + chunkSz;
+
    if (newRecvSz <= 0) {
        WOLFSSL_MSG("wolfIO_HttpProcessResponseBuf new receive size overflow");
        return MEMORY_E;