From 7da4f4b4991c85f1122a4591d8a4b7dd3bd12b4e Mon Sep 17 00:00:00 2001
From: Jouni Malinen <j@w1.fi>
Date: Tue, 28 Apr 2015 17:23:06 +0300
Subject: [PATCH] WPS: Check maximum HTTP body length earlier in the process

There is no need to continue processing a HTTP body when it becomes
clear that the end result would be over the maximum length.

Signed-off-by: Jouni Malinen <j@w1.fi>
---
 src/wps/httpread.c | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/src/wps/httpread.c b/src/wps/httpread.c
index 3570a1fda..454519ca5 100644
--- a/src/wps/httpread.c
+++ b/src/wps/httpread.c
@@ -177,6 +177,12 @@ static int httpread_hdr_option_analyze(
 		if (!isdigit(*hbp))
 			return -1;
 		h->content_length = atol(hbp);
+		if (h->content_length < 0 || h->content_length > h->max_bytes) {
+			wpa_printf(MSG_DEBUG,
+				   "httpread: Unacceptable Content-Length %d",
+				   h->content_length);
+			return -1;
+		}
 		h->got_content_length = 1;
 		return 0;
 	}
@@ -509,6 +515,13 @@ static void httpread_read_handler(int sd, void *eloop_ctx, void *sock_ctx)
 			if (h->got_content_length &&
 			    new_alloc_nbytes < (h->content_length + 1))
 				new_alloc_nbytes = h->content_length + 1;
+			if (new_alloc_nbytes < h->body_alloc_nbytes ||
+			    new_alloc_nbytes > h->max_bytes) {
+				wpa_printf(MSG_DEBUG,
+					   "httpread: Unacceptable body length %d",
+					   new_alloc_nbytes);
+				goto bad;
+			}
 			if ((new_body = os_realloc(h->body, new_alloc_nbytes))
 			    == NULL)
 				goto bad;