From 77acb473d8f056f6f534395f131c6e45693797f0 Mon Sep 17 00:00:00 2001
From: Ingela Anderton Andin <ingela@erlang.org>
Date: Wed, 4 Nov 2015 15:14:21 +0100
Subject: inets: Terminate gracfully when an invalid chunked length header is
 encountered

Also use integer_to_list/2 and list_to_integer/2 instead of reimplementing it.
---
 lib/inets/src/http_lib/http_chunk.erl              |  8 ++-
 lib/inets/src/http_lib/http_util.erl               | 69 ++--------------------
 .../src/http_server/httpd_request_handler.erl      | 10 +++-
 3 files changed, 18 insertions(+), 69 deletions(-)

diff --git a/lib/inets/src/http_lib/http_chunk.erl b/lib/inets/src/http_lib/http_chunk.erl
index 9476ea9f5f..c17ff6cce5 100644
--- a/lib/inets/src/http_lib/http_chunk.erl
+++ b/lib/inets/src/http_lib/http_chunk.erl
@@ -143,20 +143,22 @@ decode_size(Data = <<?CR, ?LF, ChunkRest/binary>>, HexList,
 	    {MaxBodySize, Body, 
 	     AccLength,
 	     MaxHeaderSize}) ->
-    ChunkSize =  http_util:hexlist_to_integer(lists:reverse(HexList)),
-     case ChunkSize of
+    try http_util:hexlist_to_integer(lists:reverse(HexList)) of
 	0 -> % Last chunk, there was no data
 	    ignore_extensions(Data, {?MODULE, decode_trailer, 
 				      [<<>>, [],[], MaxHeaderSize,
 				       Body,
 				       integer_to_list(AccLength)]});  
-	_ ->
+	ChunkSize ->
 	    %% Note decode_data may call decode_size again if there
 	    %% is more than one chunk, hence here is where the last parameter
 	    %% to this function comes in.
 	    decode_data(ChunkSize, ChunkRest, {MaxBodySize, Body, 
 					       ChunkSize + AccLength , 
 					       MaxHeaderSize})
+    catch
+	_:_ ->
+	    throw({error, {chunk_size, HexList}})
     end;
 decode_size(<<";", Rest/binary>>, HexList, Info) ->
     %% Note ignore_extensions will call decode_size/1 again when
diff --git a/lib/inets/src/http_lib/http_util.erl b/lib/inets/src/http_lib/http_util.erl
index 0d07231302..aafa97afee 100644
--- a/lib/inets/src/http_lib/http_util.erl
+++ b/lib/inets/src/http_lib/http_util.erl
@@ -152,27 +152,11 @@ convert_netscapecookie_date([_D,_A,_Y, _SP,
     Sec=list_to_integer([S1,S2]),
     {{Year,Month,Day},{Hour,Min,Sec}}.
 
-hexlist_to_integer([]) ->
-    empty;
-%%When the string only contains one value its eaasy done.
-%% 0-9
-hexlist_to_integer([Size]) when (Size >= 48) andalso (Size =< 57) ->
-   Size - 48;
-%% A-F
-hexlist_to_integer([Size]) when (Size >= 65) andalso (Size =< 70) ->
-    Size - 55;
-%% a-f
-hexlist_to_integer([Size]) when (Size >= 97) andalso (Size =< 102) ->
-    Size - 87;
-hexlist_to_integer([_Size]) ->
-    not_a_num;
+hexlist_to_integer(List) ->
+    list_to_integer(List, 16).
 
-hexlist_to_integer(Size) ->
-    Len = string:span(Size, "1234567890abcdefABCDEF"),
-    hexlist_to_integer2(Size, 16 bsl (4 *(Len-2)),0).
-
-integer_to_hexlist(Num)->
-    integer_to_hexlist(Num, get_size(Num), []).
+integer_to_hexlist(Int) ->
+    integer_to_list(Int, 16).
 
 convert_month("Jan") -> 1;
 convert_month("Feb") -> 2;
@@ -213,51 +197,6 @@ html_encode(Chars) ->
 %%%========================================================================
 %%% Internal functions
 %%%========================================================================
-hexlist_to_integer2([],_Pos,Sum)->
-    Sum;
-hexlist_to_integer2([HexVal | HexString], Pos, Sum) 
-  when HexVal >= 48, HexVal =< 57 ->
-    hexlist_to_integer2(HexString, Pos bsr 4, Sum + ((HexVal-48) * Pos));
-
-hexlist_to_integer2([HexVal | HexString], Pos, Sum) 
-  when HexVal >= 65, HexVal =<70 ->
-    hexlist_to_integer2(HexString, Pos bsr 4, Sum + ((HexVal-55) * Pos));
-
-hexlist_to_integer2([HexVal | HexString], Pos, Sum)
-  when HexVal>=97, HexVal=<102 ->
-    hexlist_to_integer2(HexString, Pos bsr 4, Sum + ((HexVal-87) * Pos));
-
-hexlist_to_integer2(_AfterHexString, _Pos, Sum)->
-    Sum.
-
-integer_to_hexlist(Num, Pot, Res) when Pot < 0 ->
-    convert_to_ascii([Num | Res]);
-
-integer_to_hexlist(Num,Pot,Res) ->
-    Position = (16 bsl (Pot*4)),
-    PosVal = Num div Position,
-    integer_to_hexlist(Num - (PosVal*Position), Pot-1, [PosVal | Res]).
-
-get_size(Num)->
-    get_size(Num, 0).
-
-get_size(Num, Pot) when Num < (16 bsl(Pot *4))  ->
-    Pot-1;
-
-get_size(Num, Pot) ->
-    get_size(Num, Pot+1).
-
-convert_to_ascii(RevesedNum) ->
-    convert_to_ascii(RevesedNum, []).
-
-convert_to_ascii([], Num)->
-    Num;
-convert_to_ascii([Num | Reversed], Number) 
-  when (Num > -1) andalso (Num < 10) ->
-    convert_to_ascii(Reversed, [Num + 48 | Number]);
-convert_to_ascii([Num | Reversed], Number) 
-  when (Num > 9) andalso (Num < 16) ->
-    convert_to_ascii(Reversed, [Num + 55 | Number]).
 
 char_to_html_entity(Char, Reserved) ->
     case sets:is_element(Char, Reserved) of
diff --git a/lib/inets/src/http_server/httpd_request_handler.erl b/lib/inets/src/http_server/httpd_request_handler.erl
index e5d006c1fd..143d599edb 100644
--- a/lib/inets/src/http_server/httpd_request_handler.erl
+++ b/lib/inets/src/http_server/httpd_request_handler.erl
@@ -443,7 +443,7 @@ handle_body(#state{headers = Headers, body = Body, mod = ModData} = State,
 	    MaxHeaderSize, MaxBodySize) ->
     case Headers#http_request_h.'transfer-encoding' of
 	"chunked" ->
-	    case http_chunk:decode(Body, MaxBodySize, MaxHeaderSize) of
+	    try http_chunk:decode(Body, MaxBodySize, MaxHeaderSize) of
 		{Module, Function, Args} ->
 		    http_transport:setopts(ModData#mod.socket_type, 
 					   ModData#mod.socket, 
@@ -455,6 +455,14 @@ handle_body(#state{headers = Headers, body = Body, mod = ModData} = State,
 			http_chunk:handle_headers(Headers, ChunkedHeaders),
 		    handle_response(State#state{headers = NewHeaders,
 						body = NewBody})
+	    catch 
+		throw:Error ->
+		    httpd_response:send_status(ModData, 400, 
+					       "Bad input"),
+		    Reason = io_lib:format("Chunk decoding failed: ~p~n", 
+					   [Error]),
+		    error_log(Reason, ModData),
+		    {stop, normal, State#state{response_sent = true}}  
 	    end;
 	Encoding when is_list(Encoding) ->
 	    httpd_response:send_status(ModData, 501, 
-- 
cgit v1.2.3