[internal-branch.go1.16-vendor] http/httpguts: remove recursion in He…

…aderValuesContainsToken Previously, httpguts.HeaderValuesContainsToken called a function which could recurse to the point of a stack overflow when given a very large header (~10MB). Credit to Guido Vranken who reported the crash as part of the Ethereum 2.0 bounty program. Fixes CVE-2021-31525 Updates golang/go#45710 Updates golang/go#45712 Change-Id: I2c54ce3b2acf1c5efdea66db0595b93a3f5ae5f3 Reviewed-on: https://go-review.googlesource.com/c/net/+/313069 Trust: Katie Hockman <[email protected]> Run-TryBot: Katie Hockman <[email protected]> TryBot-Result: Go Bot <[email protected]> Reviewed-by: Filippo Valsorda <[email protected]> Reviewed-by: Roland Shoemaker <[email protected]> (cherry picked from commit 89ef3d9) Reviewed-on: https://go-review.googlesource.com/c/net/+/314649 Reviewed-by: Dmitri Shuralyov <[email protected]>
golang · Apr 28, 2021 · 3f4a416 · 3f4a416
1 parent ac852fb
commit 3f4a416
Showing 1 changed file with 6 additions and 4 deletions.
diff --git a/http/httpguts/httplex.go b/http/httpguts/httplex.go
@@ -137,11 +137,13 @@ func trimOWS(x string) string {
 // contains token amongst its comma-separated tokens, ASCII
 // case-insensitively.
 func headerValueContainsToken(v string, token string) bool {
-	v = trimOWS(v)
-	if comma := strings.IndexByte(v, ','); comma != -1 {
-		return tokenEqual(trimOWS(v[:comma]), token) || headerValueContainsToken(v[comma+1:], token)
+	for comma := strings.IndexByte(v, ','); comma != -1; comma = strings.IndexByte(v, ',') {
+		if tokenEqual(trimOWS(v[:comma]), token) {
+			return true
+		}
+		v = v[comma+1:]
 	}
-	return tokenEqual(v, token)
+	return tokenEqual(trimOWS(v), token)
 }
 
 // lowerASCII returns the ASCII lowercase version of b.