Files
esp-idf/components/esp_http_server
Aditya Patwardhan 9d3f510c7f fix(esp_http_server): reject Content-Length above UINT32_MAX
In httpd_parse.c, cb_headers_complete() converted the HTTP parser's
content_length (uint64_t) to the request's content_len (size_t) via an
unsafe cast through (int). On a 32-bit size_t target a Content-Length
above 4 GiB silently truncated, enabling request smuggling where the
server and an upstream proxy disagree on the body length (CWE-681).

Reject any Content-Length above UINT32_MAX with 413 Content Too Large
before any handler runs. UINT32_MAX is the largest body length the
server can represent in size_t content_len on every target, so this is
the maximum the server can support; no configuration knob is needed.

Closes SEC-102
Closes SEC-229
2026-07-02 10:46:36 +05:30
..