Integer overflows in parse_content_range() and gethttp()

[vulnerabilityspotter]

Security Vulnerability Report

File: src/http.c

Functions: parse_content_range() and gethttp()

Vulnerability Type: Integer Overflow

Location: Lines 936, 942, 955 and 3739

Severity: High

Description:

In the parse_content_range() function, at lines 936, 942, 955, there exists a 
vulnerability related to an integer overflow. The vulnerability arises from the 
calculation of the variable num, which is assigned the value of

num = 10 * num + (*hdr - '0');

Both the multiplication and addition can lead to an integer overflow, and lead 
to unexpected behavior, due to the lack of validation.

Furthermore similarly to 
[curl/curl#12983](https://github.com/curl/curl/issues/12983), at line 3739 of 
function gethttp(), the calculation of the contlen variable can also overflow:

contlen = last_byte_pos - first_byte_pos + 1;

Exploitation Scenario:

An attacker may craft a malicious request with carefully chosen values in the 
Content-Range header, triggering an integer overflow during the calculation of 
num and contlen. This could potentially lead to various security issues, such 
as memory corruption, buffer overflows, or unexpected behavior, depending on 
how the num and contlen variables is subsequently used.

Impact:

The impact of this vulnerability could be severe, potentially leading to:

Memory Corruption: If the calculated num and contlen value are used to allocate 
memory or perform operations such as copying data, an integer overflow could 
result in memory corruption, leading to crashes or arbitrary code execution.

Security Bypass: In scenarios where num and contlen value are used to enforce 
boundaries or permissions, an attacker may exploit the integer overflow to 
bypass security checks or gain unauthorized access to sensitive resources.

Denial of Service (DoS): A carefully crafted request exploiting the integer 
overflow could cause the application to enter an unexpected state or consume 
excessive resources, leading to a denial of service condition.

Recommendations:

Bounds Checking: Implement proper bounds checking to ensure that the values of 
num and contlen are within acceptable ranges before performing calculations.

Safe Arithmetic Operations: Consider using safer arithmetic operations or 
alternative calculation methods to prevent integer overflows, especially when 
dealing with potentially large or close-to-boundary values.

Input Validation: Validate input parameters to ensure they adhere to expected 
ranges and constraints before performing calculations.

Error Handling: Implement robust error handling mechanisms to gracefully handle 
scenarios where input parameters result in unexpected or invalid calculations.

Severity Justification:

The presence of an integer overflow vulnerability at lines 936, 942, 955 and 
3739 poses a high risk to the security and stability of the application. 
Exploitation of this vulnerability could lead to severe consequences, including 
memory corruption, security bypass, or denial of service conditions.

Affected Versions:

This vulnerability affects all versions of the application that include the 
vulnerable parse_content_range() and gethttp() functions.

References:

OWASP Integer Overflow
CWE-190: Integer Overflow or Wraparound
CERT Secure Coding - INT32-C

Conclusion:

The presence of an integer overflow vulnerability at lines 936, 942, 955 in the 
parse_content_range() function and line 3739 of gethttp() poses a high risk to 
the security and stability of the application. It is imperative to address this 
vulnerability promptly by implementing appropriate bounds checking and error 
handling mechanisms to prevent potential exploitation and associated security 
risks.

Sent with [Proton Mail](https://proton.me/) secure email.