1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
|
From 874b3132a84cf76da6a48978826c04c380a37a50 Mon Sep 17 00:00:00 2001
From: avivklas <avivklas@gmail.com>
Date: Fri, 7 Aug 2020 21:50:12 +0300
Subject: [PATCH] mime/multipart: return overflow errors in Reader.ReadForm
Updates Reader.ReadForm to check for overflow errors that may
result from a leeway addition of 10MiB to the input argument
maxMemory.
Fixes #40430
Change-Id: I510b8966c95c51d04695ba9d08fcfe005fd11a5d
Reviewed-on: https://go-review.googlesource.com/c/go/+/247477
Run-TryBot: Emmanuel Odeke <emm.odeke@gmail.com>
Trust: Cuong Manh Le <cuong.manhle.vn@gmail.com>
Trust: Emmanuel Odeke <emm.odeke@gmail.com>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Emmanuel Odeke <emm.odeke@gmail.com>
Upstream-Status: Backport [https://github.com/golang/go/commit/874b3132a84cf76da6a48978826c04c380a37a50]
CVE: CVE-2022-41725 #Dependency Patch1
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
---
src/mime/multipart/formdata.go | 4 ++++
src/mime/multipart/formdata_test.go | 18 ++++++++++++++++++
2 files changed, 22 insertions(+)
diff --git a/src/mime/multipart/formdata.go b/src/mime/multipart/formdata.go
index 832d0ad693666..4eb31012941ac 100644
--- a/src/mime/multipart/formdata.go
+++ b/src/mime/multipart/formdata.go
@@ -7,6 +7,7 @@ package multipart
import (
"bytes"
"errors"
+ "fmt"
"io"
"io/ioutil"
"net/textproto"
@@ -41,6 +42,9 @@ func (r *Reader) readForm(maxMemory int64) (_ *Form, err error) {
// Reserve an additional 10 MB for non-file parts.
maxValueBytes := maxMemory + int64(10<<20)
+ if maxValueBytes <= 0 {
+ return nil, fmt.Errorf("multipart: integer overflow from maxMemory(%d) + 10MiB for non-file parts", maxMemory)
+ }
for {
p, err := r.NextPart()
if err == io.EOF {
diff --git a/src/mime/multipart/formdata_test.go b/src/mime/multipart/formdata_test.go
index 7d756c8c244a0..7112e0d3727fe 100644
--- a/src/mime/multipart/formdata_test.go
+++ b/src/mime/multipart/formdata_test.go
@@ -7,6 +7,7 @@ package multipart
import (
"bytes"
"io"
+ "math"
"os"
"strings"
"testing"
@@ -52,6 +53,23 @@ func TestReadFormWithNamelessFile(t *testing.T) {
}
}
+// Issue 40430: Ensure that we report integer overflows in additions of maxMemory,
+// instead of silently and subtly failing without indication.
+func TestReadFormMaxMemoryOverflow(t *testing.T) {
+ b := strings.NewReader(strings.ReplaceAll(messageWithTextContentType, "\n", "\r\n"))
+ r := NewReader(b, boundary)
+ f, err := r.ReadForm(math.MaxInt64)
+ if err == nil {
+ t.Fatal("Unexpected a non-nil error")
+ }
+ if f != nil {
+ t.Fatalf("Unexpected returned a non-nil form: %v\n", f)
+ }
+ if g, w := err.Error(), "integer overflow from maxMemory"; !strings.Contains(g, w) {
+ t.Errorf(`Error mismatch\n%q\ndid not contain\n%q`, g, w)
+ }
+}
+
func TestReadFormWithTextContentType(t *testing.T) {
// From https://github.com/golang/go/issues/24041
b := strings.NewReader(strings.ReplaceAll(messageWithTextContentType, "\n", "\r\n"))
|