From 567bd3ee033b4416908da2245c3eac0feb20b757 Mon Sep 17 00:00:00 2001
From: Nico Golde <nion@debian.org>
Date: Thu, 2 Apr 2009 12:59:31 +0200
Subject: [PATCH] Fix integer overflow, CVE-2008-1771

Fix integer overflow leading to heap-based buffer overflow causing a
remote Denial of Service and possibly allows to execute arbitrary code.
---
 src/webserver.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/src/webserver.c b/src/webserver.c
index b68d1a74..5b3bb11f 100644
--- a/src/webserver.c
+++ b/src/webserver.c
@@ -716,7 +716,12 @@ int ws_getpostvars(WS_CONNINFO *pwsc) {
         return FALSE;
     }
 
-    length=atoi(content_length);
+    length=strtol(content_length, NULL, 10);
+    if(EINVAL == errno || UINT_MAX - 1 <= length){
+        ws_dprintf(L_WS_WARN, "Thread %d: Suspicious Content-Length value, ignoring request\n", pwsc->threadno);
+        return FALSE;
+    }
+
     ws_dprintf(L_WS_DBG,"Thread %d: Post var length: %d\n",
             pwsc->threadno,length);