mirror of
https://github.com/espressif/esp-idf.git
synced 2026-07-16 16:03:08 +03:00
In httpd_parse.c, cb_headers_complete() converted the HTTP parser's content_length (uint64_t) to the request's content_len (size_t) via an unsafe cast through (int). On a 32-bit size_t target a Content-Length above 4 GiB silently truncated, enabling request smuggling where the server and an upstream proxy disagree on the body length (CWE-681). Reject any Content-Length above UINT32_MAX with 413 Content Too Large before any handler runs. UINT32_MAX is the largest body length the server can represent in size_t content_len on every target, so this is the maximum the server can support; no configuration knob is needed. Closes SEC-102 Closes SEC-229