https://bz.apache.org/bugzilla/show_bug.cgi?id=69762
Bug ID: 69762
Summary: Integer overflow in HPACK integer decoding
Product: Tomcat 9
Version: 9.0.107
Hardware: PC
OS: Linux
Status: NEW
Severity: normal
Priority: P2
Component: Connectors
Assignee: dev@tomcat.apache.org
Reporter: jeppe.b.wei...@gmail.com
Target Milestone: -----
The HPACK varint decoding function 'decodeInteger' in Apache Tomcat contains an
integer overflow.
https://github.com/apache/tomcat/blob/main/java/org/apache/coyote/http2/Hpack.java#L146-177
Tomcat allows 8 encoded octets and stores the result in a (32-bit signed) int.
Since 8 encoded HPACK variable-length integer bytes can exceed the maximum
value that can be represented by a 32-bit int, this leads to an integer
overflow when decoding very large varints.
It's possible that this overflow could be have a security impact, i.e. by
causing desynchronization of dynamic tables and thus causing connection
confusion (e.g. when the overflowing integer is used as a header table index).
I believe the best way to fix this issue is by simply setting
'MAX_INTEGER_OCTETS' to 4 instead of 8 here:
https://github.com/apache/tomcat/blob/main/java/org/apache/coyote/http2/Hpack.java#L29
This will ensure that it won't be possible to overflow the int.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
