From 50e85797507a3ba13193f368cff461c08e44a9b3 Mon Sep 17 00:00:00 2001
From: Yehuda Sadeh <yehuda@redhat.com>
Date: Fri, 1 Aug 2014 16:15:36 -0700
Subject: [PATCH] rgw: don't allow negative / invalid content length

Certain frontends (e.g., civetweb) don't filter such requests.

Signed-off-by: Yehuda Sadeh <yehuda@redhat.com>
(cherry picked from commit 0e74b7a1d56733358e2f1d3df4386125a94c2966)
---
 src/rgw/rgw_common.h |  2 +-
 src/rgw/rgw_op.cc    |  2 +-
 src/rgw/rgw_rest.cc  | 17 ++++++++++++++---
 3 files changed, 16 insertions(+), 5 deletions(-)

diff --git a/src/rgw/rgw_common.h b/src/rgw/rgw_common.h
index 975bb9dbc63df..62c3579981039 100644
--- a/src/rgw/rgw_common.h
+++ b/src/rgw/rgw_common.h
@@ -863,7 +863,7 @@ struct req_state {
    string decoded_uri;
    string relative_uri;
    const char *length;
-   uint64_t content_length;
+   int64_t content_length;
    map<string, string> generic_attrs;
    struct rgw_err err;
    bool expect_cont;
diff --git a/src/rgw/rgw_op.cc b/src/rgw/rgw_op.cc
index cc557d8b5d5e8..ec647778945f0 100644
--- a/src/rgw/rgw_op.cc
+++ b/src/rgw/rgw_op.cc
@@ -1670,7 +1670,7 @@ void RGWPutObj::execute()
     ofs += len;
   } while (len > 0);
 
-  if (!chunked_upload && (uint64_t)ofs != s->content_length) {
+  if (!chunked_upload && ofs != s->content_length) {
     ret = -ERR_REQUEST_TIMEOUT;
     goto done;
   }
diff --git a/src/rgw/rgw_rest.cc b/src/rgw/rgw_rest.cc
index a907decf063d5..768ca09a476f7 100644
--- a/src/rgw/rgw_rest.cc
+++ b/src/rgw/rgw_rest.cc
@@ -1240,10 +1240,21 @@ int RGWREST::preprocess(struct req_state *s, RGWClientIO *cio)
   url_decode(s->info.request_uri, s->decoded_uri);
   s->length = info.env->get("CONTENT_LENGTH");
   if (s->length) {
-    if (*s->length == '\0')
+    if (*s->length == '\0') {
       s->content_length = 0;
-    else
-      s->content_length = atoll(s->length);
+    } else {
+      string err;
+      s->content_length = strict_strtol(s->length, 10, &err);
+      if (!err.empty()) {
+        ldout(s->cct, 10) << "bad content length, aborting" << dendl;
+        return -EINVAL;
+      }
+    }
+  }
+
+  if (s->content_length < 0) {
+    ldout(s->cct, 10) << "negative content length, aborting" << dendl;
+    return -EINVAL;
   }
 
   map<string, string>::iterator giter;
-- 
2.39.5