[PATCH] mongoose: Integer Underflow in Multipart Upload Parser
8 views
Skip to first unread message
Stefano Babic
Mar 19, 2026, 5:50:22 AM (13 days ago) Mar 19
to swup...@googlegroups.com, Stefano Babic
The function mg_http_multipart_continue_wait_for_chunk() has
a discrepancy between its guard condition and a subsequent
subtraction in the else branch. The guard at line 250 checks
`(int) io->len < mp_stream->boundary.len + 6`, allowing execution
to continue when io->len >= boundary.len + 6.
However, when mg_strstr() finds the boundary string in the
buffer (else branch at line 264), data_len is computed as
`io->len - (mp_stream->boundary.len + 8)`. The +6 vs +8
mismatch means that when io->len is in the range [boundary.len + 6,
boundary.len + 7], the subtraction underflows the size_t
variable to SIZE_MAX or SIZE_MAX - 1.
This will fix CVE-2026-28525.
Description of issue copied from vulnerability report - many thanks to
Kazuma for his analyses.
Signed-off-by: Stefano Babic <stefan...@swupdate.org>
Reported by: Kazuma Matsumoto, a security researcher at GMO Cybersecurity by IERAE, Inc."
---
mongoose/mongoose_multipart.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/mongoose/mongoose_multipart.c b/mongoose/mongoose_multipart.c
index 12ea5434..7fdc1863 100644
--- a/mongoose/mongoose_multipart.c
+++ b/mongoose/mongoose_multipart.c
@@ -261,12 +261,12 @@ static int mg_http_multipart_continue_wait_for_chunk(struct mg_connection *c) {
}
return 0;
} else {
- size_t data_len = io->len - (mp_stream->boundary.len + 8);
+ size_t data_len = io->len - (mp_stream->boundary.len + 6);
size_t consumed = mg_http_multipart_call_handler(c, MG_EV_HTTP_PART_DATA,
- (char *) io->buf, data_len);
+ (char *) io->buf, data_len);
mg_iobuf_del(io, 0, consumed);
if (consumed == data_len) {
- mg_iobuf_del(io, 0, mp_stream->boundary.len + 8);
+ mg_iobuf_del(io, 0, mp_stream->boundary.len + 6);
mp_stream->state = MPS_FINALIZE;
return 1;
} else {
--
2.43.0
a discrepancy between its guard condition and a subsequent
subtraction in the else branch. The guard at line 250 checks
`(int) io->len < mp_stream->boundary.len + 6`, allowing execution
to continue when io->len >= boundary.len + 6.
However, when mg_strstr() finds the boundary string in the
buffer (else branch at line 264), data_len is computed as
`io->len - (mp_stream->boundary.len + 8)`. The +6 vs +8
mismatch means that when io->len is in the range [boundary.len + 6,
boundary.len + 7], the subtraction underflows the size_t
variable to SIZE_MAX or SIZE_MAX - 1.
This will fix CVE-2026-28525.
Description of issue copied from vulnerability report - many thanks to
Kazuma for his analyses.
Signed-off-by: Stefano Babic <stefan...@swupdate.org>
Reported by: Kazuma Matsumoto, a security researcher at GMO Cybersecurity by IERAE, Inc."
---
mongoose/mongoose_multipart.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/mongoose/mongoose_multipart.c b/mongoose/mongoose_multipart.c
index 12ea5434..7fdc1863 100644
--- a/mongoose/mongoose_multipart.c
+++ b/mongoose/mongoose_multipart.c
@@ -261,12 +261,12 @@ static int mg_http_multipart_continue_wait_for_chunk(struct mg_connection *c) {
}
return 0;
} else {
- size_t data_len = io->len - (mp_stream->boundary.len + 8);
+ size_t data_len = io->len - (mp_stream->boundary.len + 6);
size_t consumed = mg_http_multipart_call_handler(c, MG_EV_HTTP_PART_DATA,
- (char *) io->buf, data_len);
+ (char *) io->buf, data_len);
mg_iobuf_del(io, 0, consumed);
if (consumed == data_len) {
- mg_iobuf_del(io, 0, mp_stream->boundary.len + 8);
+ mg_iobuf_del(io, 0, mp_stream->boundary.len + 6);
mp_stream->state = MPS_FINALIZE;
return 1;
} else {
--
2.43.0
Reply all
Reply to author
Forward
0 new messages