http/httpguts: remove recursion in HeaderValuesContainsToken
Previously, httpguts.HeaderValuesContainsToken called a
function which could recurse to the point of a stack
overflow when given a very large header (~10MB).
Credit to Guido Vranken who reported the crash as
part of the Ethereum 2.0 bounty program.
Fixes CVE-2021-31525
Fixes golang/go#45710
Change-Id: I2c54ce3b2acf1c5efdea66db0595b93a3f5ae5f3
Reviewed-on: https://go-review.googlesource.com/c/net/+/313069
Trust: Katie Hockman <katie@golang.org>
Run-TryBot: Katie Hockman <katie@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
Reviewed-by: Roland Shoemaker <roland@golang.org>
diff --git a/http/httpguts/httplex.go b/http/httpguts/httplex.go
index e7de24e..c79aa73 100644
--- a/http/httpguts/httplex.go
+++ b/http/httpguts/httplex.go
@@ -137,11 +137,13 @@
// contains token amongst its comma-separated tokens, ASCII
// case-insensitively.
func headerValueContainsToken(v string, token string) bool {
- v = trimOWS(v)
- if comma := strings.IndexByte(v, ','); comma != -1 {
- return tokenEqual(trimOWS(v[:comma]), token) || headerValueContainsToken(v[comma+1:], token)
+ for comma := strings.IndexByte(v, ','); comma != -1; comma = strings.IndexByte(v, ',') {
+ if tokenEqual(trimOWS(v[:comma]), token) {
+ return true
+ }
+ v = v[comma+1:]
}
- return tokenEqual(v, token)
+ return tokenEqual(trimOWS(v), token)
}
// lowerASCII returns the ASCII lowercase version of b.