client: perform strict chunk size parsing

We can not rely on `strtoul()` to parse hexadecimal chunk sizes as it
accepts a wider range of inputs than what is allowed by the HTTP spec.

Decode the chunk sizes manually and fix skipping chunk extension headers
while we're at it. Also ensure that there's no trailing garbage after
the size and that we bail out on overflows.

Fixes: #3
Signed-off-by: Jo-Philipp Wich <jo@mein.io>

Author: jow-

client.c

@@ -404,6 +404,52 @@ static void client_parse_header(struct client *cl, char *data)
 	cl->state = CLIENT_STATE_HEADER;
 }
 
+static int parse_chunksize(char *buf, char *end)
+{
+	int size = 0;
+
+	if (buf == end)
+		return -1; /* empty size */
+
+	while (buf < end) {
+		int n;
+
+		if (*buf >= '0' && *buf <= '9')
+			n = *buf - '0';
+		else if (*buf >= 'a' && *buf <= 'f')
+			n = 10 + *buf - 'a';
+		else if (*buf >= 'A' && *buf <= 'F')
+			n = 10 + *buf - 'A';
+		else
+			break;
+
+		if (size > INT_MAX / 16)
+			return -1; /* overflow */
+
+		size *= 16;
+
+		if (size > INT_MAX - n)
+			return -1; /* overflow */
+
+		size += n;
+		buf++;
+	}
+
+	/* if whitespace follows, there must be header extension as well... */
+	char *p = buf;
+
+	while (p < end && (*p == ' ' || *p == '\t'))
+		p++;
+
+	if (p > buf && *p != ';')
+		return -1; /* whitespace after size but no chunk-ext */
+
+	if (p == buf && buf < end)
+		return -1; /* garbage after size */
+
+	return size;
+}
+
 void client_poll_post_data(struct client *cl)
 {
 	struct dispatch *d = &cl->dispatch;
@@ -450,14 +496,12 @@ void client_poll_post_data(struct client *cl)
 		if (!sep)
 			break;
 
-		*sep = 0;
-
-		r->content_length = strtoul(buf + offset, &sep, 16);
+		r->content_length = parse_chunksize(buf + offset, sep);
 		r->transfer_chunked++;
 		ustream_consume(cl->us, sep + 2 - buf);
 
 		/* invalid chunk length */
-		if ((sep && *sep) || r->content_length < 0) {
+		if (r->content_length < 0) {
 			r->content_length = 0;
 			r->transfer_chunked = 0;
 			break;