From 4e5a313524da62600eb59dbf98624cfe946456f8 Mon Sep 17 00:00:00 2001 From: Emmanuel T Odeke Date: Tue, 20 Oct 2020 04:11:12 -0700 Subject: [PATCH] net/http: test that ParseMultipartForm catches overflows Tests that if the combination of: * HTTP multipart file payload size * ParseMultipartForm's maxMemory parameter * the internal leeway buffer size of 10MiB overflows, then we'll report an overflow instead of silently passing. Reapplies and fixes CL 254977, which was reverted in CL 263658. The prior test lacked a res.Body.Close(), so fixed that and added a leaked Transport check to verify correctness. Updates 40430. Change-Id: I3c0f7ef43d621f6eb00f07755f04f9f36c51f98f Reviewed-on: https://go-review.googlesource.com/c/go/+/263817 Run-TryBot: Emmanuel Odeke TryBot-Result: Go Bot Reviewed-by: Bryan C. Mills Trust: Damien Neil Upstream-Status: Backport [https://github.com/golang/go/commit/4e5a313524da62600eb59dbf98624cfe946456f8] CVE: CVE-2022-41725 #Dependency Patch2 Signed-off-by: Vijay Anusuri --- src/net/http/request_test.go | 45 ++++++++++++++++++++++++++++++++++++ 1 file changed, 45 insertions(+) diff --git a/src/net/http/request_test.go b/src/net/http/request_test.go index b4ef472e71229..19526b9ad791a 100644 --- a/src/net/http/request_test.go +++ b/src/net/http/request_test.go @@ -13,6 +13,7 @@ import ( "fmt" "io" "io/ioutil" + "math" "mime/multipart" . "net/http" "net/http/httptest" @@ -245,6 +246,50 @@ func TestParseMultipartForm(t *testing.T) { } } +// Issue #40430: Test that if maxMemory for ParseMultipartForm when combined with +// the payload size and the internal leeway buffer size of 10MiB overflows, that we +// correctly return an error. +func TestMaxInt64ForMultipartFormMaxMemoryOverflow(t *testing.T) { + defer afterTest(t) + + payloadSize := 1 << 10 + cst := httptest.NewServer(HandlerFunc(func(rw ResponseWriter, req *Request) { + // The combination of: + // MaxInt64 + payloadSize + (internal spare of 10MiB) + // triggers the overflow. See issue https://golang.org/issue/40430/ + if err := req.ParseMultipartForm(math.MaxInt64); err != nil { + Error(rw, err.Error(), StatusBadRequest) + return + } + })) + defer cst.Close() + fBuf := new(bytes.Buffer) + mw := multipart.NewWriter(fBuf) + mf, err := mw.CreateFormFile("file", "myfile.txt") + if err != nil { + t.Fatal(err) + } + if _, err := mf.Write(bytes.Repeat([]byte("abc"), payloadSize)); err != nil { + t.Fatal(err) + } + if err := mw.Close(); err != nil { + t.Fatal(err) + } + req, err := NewRequest("POST", cst.URL, fBuf) + if err != nil { + t.Fatal(err) + } + req.Header.Set("Content-Type", mw.FormDataContentType()) + res, err := cst.Client().Do(req) + if err != nil { + t.Fatal(err) + } + res.Body.Close() + if g, w := res.StatusCode, StatusBadRequest; g != w { + t.Fatalf("Status code mismatch: got %d, want %d", g, w) + } +} + func TestRedirect_h1(t *testing.T) { testRedirect(t, h1Mode) } func TestRedirect_h2(t *testing.T) { testRedirect(t, h2Mode) } func testRedirect(t *testing.T, h2 bool) {