commit 89ef3d95e781148a0951956029c92a211477f7f9
author Katie Hockman <katie@golang.org> Fri Apr 23 12:56:01 2021 -0400
committer Katie Hockman <katie@golang.org> Wed Apr 28 14:07:49 2021 +0000
tree 3c1137b738e04271d6dd9246ef9fddf31de0af0b
parent 85d9c07bbe3a33a875ef21b02f48ac405ad17d5f

http/httpguts: remove recursion in HeaderValuesContainsToken

Previously, httpguts.HeaderValuesContainsToken called a
function which could recurse to the point of a stack
overflow when given a very large header (~10MB).

Credit to Guido Vranken who reported the crash as
part of the Ethereum 2.0 bounty program.

Fixes CVE-2021-31525

Fixes golang/go#45710

Change-Id: I2c54ce3b2acf1c5efdea66db0595b93a3f5ae5f3
Reviewed-on: https://go-review.googlesource.com/c/net/+/313069
Trust: Katie Hockman <katie@golang.org>
Run-TryBot: Katie Hockman <katie@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
Reviewed-by: Roland Shoemaker <roland@golang.org>

http/httpguts/httplex.go

diff --git a/http/httpguts/httplex.go b/http/httpguts/httplex.go
index e7de24e..c79aa73 100644
--- a/http/httpguts/httplex.go
+++ b/http/httpguts/httplex.go
@@ -137,11 +137,13 @@
 // contains token amongst its comma-separated tokens, ASCII
 // case-insensitively.
 func headerValueContainsToken(v string, token string) bool {
-	v = trimOWS(v)
-	if comma := strings.IndexByte(v, ','); comma != -1 {
-		return tokenEqual(trimOWS(v[:comma]), token) || headerValueContainsToken(v[comma+1:], token)
+	for comma := strings.IndexByte(v, ','); comma != -1; comma = strings.IndexByte(v, ',') {
+		if tokenEqual(trimOWS(v[:comma]), token) {
+			return true
+		}
+		v = v[comma+1:]
 	}
-	return tokenEqual(v, token)
+	return tokenEqual(trimOWS(v), token)
 }
 
 // lowerASCII returns the ASCII lowercase version of b.