view Resources/Patches/dcmtk-3.6.0-dulparse-vulnerability.patch @ 2248:69b0f4e8a49b

Escape multipart type parameter value in Content-Type header ## Summary Multipart responses do not quote/escape the value of their type parameter (the subtype) even though it always contains at least one special character (the slash "/"), which confuses standard-compliant HTTP clients. ## Details The Content-Type header in HTTP is in RFC 7231, Section 3.1.1.5: https://tools.ietf.org/html/rfc7231#section-3.1.1.5 The section defers to the media type section (3.1.1.1) for the syntax of the media type: https://tools.ietf.org/html/rfc7231#section-3.1.1.1 This states that a parameter value can be quoted: parameter = token "=" ( token / quoted-string ) A parameter value that matches the token production can be transmitted either as a token or within a quoted-string. The quoted and unquoted values are equivalent. Tokens are defined in RFC 7230, Section 3.2.6 (via RFC 7231, appendix C): https://tools.ietf.org/html/rfc7231#appendix-C https://tools.ietf.org/html/rfc7230#section-3.2.6 Here we observe that tokens cannot contain a slash "/" character: token = 1*tchar tchar = "!" / "#" / "$" / "%" / "&" / "'" / "*" / "+" / "-" / "." / "^" / "_" / "`" / "|" / "~" / DIGIT / ALPHA ; any VCHAR, except delimiters Delimiters are chosen from the set of US-ASCII visual characters not allowed in a token (DQUOTE and "(),/:;<=>?@[\]{}"). However, the current implementation does not quote/escape the value of the type parameter: multipart/related; type=application/dicom Instead, it should be: multipart/related; type="application/dicom" All of this also seems to apply to the MIME Content-Type header definition, even though it is a little different: https://www.iana.org/assignments/message-headers https://tools.ietf.org/html/rfc2045#section-5.1 https://tools.ietf.org/html/rfc2387
author Thibault Nélis <tn@osimis.io>
date Mon, 16 Jan 2017 13:07:11 +0100
parents 6ac6193a7935
children
line wrap: on
line source

diff -urEb dcmtk-3.6.0.orig/dcmnet/libsrc/dulparse.cc dcmtk-3.6.0/dcmnet/libsrc/dulparse.cc
--- dcmtk-3.6.0.orig/dcmnet/libsrc/dulparse.cc	2010-12-01 09:26:36.000000000 +0100
+++ dcmtk-3.6.0/dcmnet/libsrc/dulparse.cc	2016-12-02 15:58:49.930540033 +0100
@@ -393,6 +393,8 @@
                     return cond;
 
                 buf += length;
+                if (presentationLength < length)
+                  return EC_MemoryExhausted;
                 presentationLength -= length;
                 DCMNET_TRACE("Successfully parsed Abstract Syntax");
                 break;
@@ -404,12 +406,16 @@
                 cond = LST_Enqueue(&context->transferSyntaxList, (LST_NODE*)subItem);
                 if (cond.bad()) return cond;
                 buf += length;
+                if (presentationLength < length)
+                  return EC_MemoryExhausted;
                 presentationLength -= length;
                 DCMNET_TRACE("Successfully parsed Transfer Syntax");
                 break;
             default:
                 cond = parseDummy(buf, &length, presentationLength);
                 buf += length;
+                if (presentationLength < length)
+                  return EC_MemoryExhausted;
                 presentationLength -= length;
                 break;
             }