From 2789d1a8592b910292d1eb54ffd62b34ac7091ed Mon Sep 17 00:00:00 2001
From: Gunnar Beutner <gunnar.beutner@icinga.com>
Date: Wed, 31 Jan 2018 07:59:49 +0100
Subject: [PATCH] Add validation for HTTP connection sizes

---
 lib/remote/httpchunkedencoding.cpp | 2 ++
 lib/remote/httprequest.cpp         | 7 ++++++-
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/lib/remote/httpchunkedencoding.cpp b/lib/remote/httpchunkedencoding.cpp
index e79d3483a..9981749c2 100644
--- a/lib/remote/httpchunkedencoding.cpp
+++ b/lib/remote/httpchunkedencoding.cpp
@@ -37,6 +37,8 @@ StreamReadStatus HttpChunkedEncoding::ReadChunkFromStream(const Stream::Ptr& str
 		msgbuf << std::hex << line;
 		msgbuf >> context.LengthIndicator;
 
+		if (context.LengthIndicator < 0)
+			BOOST_THROW_EXCEPTION(std::invalid_argument("HTTP chunk length must not be negative."));
 	}
 
 	StreamReadContext& scontext = context.StreamContext;
diff --git a/lib/remote/httprequest.cpp b/lib/remote/httprequest.cpp
index 546728d66..b85a3d0ec 100644
--- a/lib/remote/httprequest.cpp
+++ b/lib/remote/httprequest.cpp
@@ -126,7 +126,12 @@ bool HttpRequest::Parse(StreamReadContext& src, bool may_wait)
 				src.MustRead = false;
 			}
 
-			size_t length_indicator = Convert::ToLong(Headers->Get("content-length"));
+			long length_indicator_signed = Convert::ToLong(Headers->Get("content-length"));
+
+			if (length_indicator_signed < 0)
+				BOOST_THROW_EXCEPTION(std::invalid_argument("Content-Length must not be negative."));
+
+			size_t length_indicator = length_indicator_signed;
 
 			if (src.Size < length_indicator) {
 				src.MustRead = true;